Virus Database

SpiceGirl Family

Description SpiceGirl Family

These are harmless memory resident parasitic viruses. They hook INT 21h and write themselves to the beginning of COM files (except COMMAND.COM) that are accessed. The viruses are encrypted starting from 1619 bytes version. Starting from 2123 bytes version they are semi-stealth - on opening an infected file they create temporary file, write to there disinfected copy of original file, and return "handle" of disinfected copy instead of original file. On closing these viruses delete the temporary file.
The viruses use new way to avoid detection - the infected files have no entry point (start code). The address of entry point in infected files is out of file body and it is impossible to reach virus code by parsing EXE header. To realize this method the virus uses several PSP (Program's Segment Prefix) and EXE header tricks.
The format of virus code is EXE, i.e. the virus as a program is EXE program with EXE header, relocation table and so on (as a result infected COM files are of EXE internal format). EXE header fields in virus (initial CS and IP) are patches so, that entry address points not to file code, but to PSP data (i.e. out of file). At that address PSP contains RET FAR code that follows the call to INT 21h handler. So, the virus entry address points to RET FAR code, and control then will be passed to code that is pointed by stack. To pass the control to its real entry code the virus has initial stack registers (SS and SP) in its EXE header and stack data that points to real entry:
+------------+ PSP Control flow
0000 ¦CD 20 ¦
all. ¦ ¦ ¦
0050 ¦CD 21 ¦ ¦
0052 ¦CB / RET FAR¦ Entry address, DOS will <-----+
.... ¦ ¦ bring control to here -----+
¦
0100 +------------+ Virus code (file image) ¦
¦ ¦ ¦
¦------------¦ ¦
¦Stack ¦ Stack data points to ---->¦
¦ ¦ real entry ¦
¦------------¦ ¦
¦ ¦ Real virus entry code <-----+
¦ . . . ¦

The virus contain the text strings:
What? 'Error: invalid program'? Me? Fprot, are you crazy? :)
And you, Avp, 'EXE file but COM extension'. What a deep scan. ;)
Spice_Girls virus causes problems to your scan engine eh? :)

Check other viruses! Be aware! Use Antiviral Software

JDC family

Description JDC family

These are nonmemory resident polymorphic parasitic viruses. They search for COM and EXE files in current and parent directories, then for the COMMAND.COM file and write themselves to the end of the file. While infecting files packed with PKLite the viruses patch PKLite entry code and write "JMP Virus" instruction into the middle of PKLite code.
The viruses use two levels of polymorphic encryption as well as anti-debugging tricks based on i386 features. Under debugger they display the message:
This program requires 80386 or better.

The viruses also contain the text strings:
A JDC PRODUCTION
~~TEMP~~.TMP
If you want to contact us, call:
809-5100 and 809-5031

JDC.6891
It is a very dangerous virus. On Thursday 13th it erases the hard drive and floppy disks sectors. On April 1st it overwrites the MBR of the hard drive with a program that displays on loading:
VI(RUS)
Insert system disk in drive C: and
press enter or space.

The virus also contains the text in Russian and in English:
This program is incompotible with PC-DOSall
MCS 1994
=========================================
.xXXxQEE.D-VersionxXXx...................
Designed for ---[ ]/[ Z / ]---(R)
Internal revision: 005
-----------------------------------------
Copyright (c) 1997 John Darland Computing
QEE (c) 1996-97 JDC
-----------------------------------------
This is D-VERSION!!! (Pre-release)
=========================================
WiNDOWS '95 - ONLY FOR L·A·M·E·R·S
=========================================
[JDC] [JDC] [JDC] [JDC] [JDC] [JDC] [JDC]
=========================================
===[ Messages ]========================================
To Antivirus creators:
"Please name this virus QEE.DVersion"
===[ T·H·E E·N·D ]====================================
*.CoM *.eXe .. COMSPEC=
---[ QEE 1.42 ]-[ Quantum Encryption Engine, Copyright (c) 1996-97 JDC ]---

JDC.7616
It is not a dangerous virus. Depending on the system date and time the virus displays a picture containing the texts:
You have a VIRUS now
Press any key to continue
This program created special for ]/[ 2 /
Copr (c) 1997 JD

The virus also contains the text strings:
Sorry, there is a small error: this program
is incompotible with PC-DOS... :(
=========================================
.xXXxQEE.JV.Dr.WebxXXx...................
Designed for ---[ ]/[ Z / ]---(R)
Internal revision 004
-----------------------------------------
Copyright (c) 1997 John Darland Computing
QEE (c) 1996-97 JDC
=========================================
WiNDOWS '95 - ONLY FOR L·A·M·E·R·S
=========================================
[JDC] [JDC] [JDC] [JDC] [JDC] [JDC] [JDC]
=========================================
===[ Future ]==========================================
You will see in next version:
- 2 new encryptors:
- RCG (Random Code Generator) [10% done]
- TTT (The Time Tracer) [ 0% done]
- More cool Windows'95 halter [ 0% done]
Possibly:
- Int 21h tracing
===[ Messages ]========================================
To Antivirus creators:
"Please name this virus QEE.JV.DrWeb or QEE.JV.Anti95
or, in other case, QEE.AntiWin95. It is only first
virus from large family"
===[ Thanks ]==========================================
To: HR ( JDC ), VD (S&K, VI), DP (xxx), PP (xxx),
DZ ( P), ID ( P) and others...
===[ T·H·E E·N·D ]====================================
COMSPEC=C:COMMAND.COM
[ QEE 1.41 ]-[ Quantum Encryption Engine, Copyright (c) 1996-97 JDC ]---

Jeff.812

Description Jeff.812

It is a very dangerous nonmemory resident parasitic virus. It searches for .COM files and writes itself to the end of the file. On July, 7th it displays:
JEFF is visiting your harddiskall

and erases FAT of current disk.

Home