Virus Database

Spanska_II.4250

Description Spanska_II.4250

It is not a dangerous memory resident encrypted semi-polymorphic parasitic virus. It hooks INT 21h and writes itself to the end of .COM and EXE files that are executed. When the virus installs itself memory resident it also affects the C:WINDOWSWIN.COM file. The virus does not infect several anti-virus scanners and COMMAND.COM according to the string (two bytes per name - TBAV, VI*, AVP, NAV, all):
TBVIAVNAVSFIF-FVIVDRSCGUCO

The virus also disables its semi-stealth routine (decreasing infected file lengths on FindFirst/Next DOS calls) when several compressing utilities and BACKUP are run, the according text strings looks like follows:
PKARRALHBA

The virus uses anti-debugging tricks in its decryption loops. This decryption loop is semi-polymorphic - it contains 15 blocks that are selected from more than 100 variants depending on the virus random counter (12 variants for 1st block, 10 variants for 2nd block, e.t.c.). The virus random counter is initialized by current date value. As a result while infecting files on the same day the virus will write to files the same decryption loop and encrypt file with the same algorithm, and will change to next variant on decryption loop only on next day. So, the virus polymorphic engine is able to produce only 366 different variants of decryption loop.
When an infected file is executed the virus also runs its video effect, it runs it depending on the system time (hours: up to 16, seconds: exactly 30). In this case the virus displays one of messages:
ELVIRA !
Black and White Girl
from Paris
You make me feel alive.
ELVIRA !
Pars. Reviens. Respire.
Puis repars.
J'aime ton mouvement.
ELVIRA !
Bruja con ojos verdes
Eres un grito de vida,
un canto de libertad.

The virus also contains the text:
(c) Spanska 97

Check other viruses! Be aware! Use Antiviral Software

Rikki family

Description Rikki family

These are not dangerous nonmemory resident parasitic viruses. They search for .COM files, then writes itself to the end of the file. While infecting a file they temporary rename it with COx (x=FFh) extension. To rename file the viruses do not call any DOS function, but make it by absolute disk read/write calls (INT 25h/26h) - the viruses read directory entry, search for file name, patch it and then write directory sector back to disk.
The viruses display the messages:
"Rikki.839":
Demo virus #1 by Rikki Cate 21/9/90
File infected:
Press key to continue

"Rikki.1787":
Demo virus #3 by Rikki Cate 21/9/90
File infected:
Press key to continue

"Rikki.1970"
Demo virus #2 by Rikki Cate 21/9/90
File infected:
Press key to continue
PC-cillin has been replaced by a demonstration virus. To activate the
virus, reboot the computer.
PC-cillin has been replaced by a demonstration virus.
This message could easily duplicate the PC-cillin start-up screen.
The virus is now resident in memory in place of PC-cillin. It
will emulate the PC-cillin display and command keys. It will also
infect any .COM programs which are accessed by interrupt 21 hex.
Press any key to continue.

Riluttanza.689

Description Riluttanza.689

It is not a dangerous nonmemory resident parasitic virus. It searches for .COM files and writes itself to the end of the file. It contains the text strings:
E-RILUTTANZA (C) '92 by GROG - Italy
>>11/92<<

While infecting if two first bytes of the file are NOP,NOP instructions the virus displays:
Sebbene suo marito andasse spesso in viaggio per affari,
ella odiava star sola.
"Ho risolto il nostro problema", disse egli.
"Ti ho comprato un San Bernardo. Si chiama Estrema Riluttanza."
"Adesso, quando vado via, sai che ti lascio con Estrema Riluttanza!"
Ella lo colpi' con un mestolo.

Home