Virus Database

TD.1536

Description TD.1536
It is not a dangerous memory resident multipartite virus. It writes itself to the end of COM and EXE files, to the MBR of the hard drive and to the boot sector of floppy disks. The virus does not manifest itself by any sound or video effect. It was named after its ID-text "TD" that presents in infected files, boot and MBR sectors.
When an infected file is executed, the virus infects the MBR of the hard drive, hooks INT 21h and stays memory resident. It then affects files that are executed. The virus pays attention to Windows self-checking signature ENUNS that presents at the end of Windows COM files and patches it. While installing memory resident the virus also infects the C:WINDOWSWIN.COM file and deletes the C:WINDOWSSYSTEMIOSUBSYSHSFLOP.PDR file, if they exist.
On loading from infected disk the virus hooks INT 13h, 1Ch, waits for DOS loading process and then hooks INT 21h. By hooking INT 13h the virus infects floppy disks, INT 13h handler also has stealth routine that is activated on accessing to already infected disks.

Check other viruses! Be aware! Use Antiviral Software

Nexiv_Der.3886

Description Nexiv_Der.3886

It is a very dangerous memory resident polymorphic multipartite virus. It infects the disk boot sectors and COM files only. The virus code is polymorphic in the files as well as in boot sectors.
While executing of infected file the virus infects first boot sector of the hard drive and returns to DOS. While loading from infected sector the virus hooks INT 13h, waits for DOS loading procedure, hooks INT 21h and then infects COM files that are executed and boot sectors of the floppy drives that are accessed.
While loading from infected floppy disk the virus also infects first boot sector of the hard drive.
The virus uses quite complex routine while infecting the COM files. It reads 20h bytes from the file header, checks that the file is of the COM format, hooks INT 3h, INT 13h (another one INT 13h handler), and returns the control to original INT 21h code. While reading the disk files by INT 13h the virus compares the data that is read with these 20h bytes of the file header, and waits for the moment when DOS loads the file into the system memory to execute it. Then the virus patches the first byte of data buffer with CCh code (call to INT 3), and continues INT 13h. As the result when that file is loaded into the system memory the first command that is executed is call to INT 3.
The virus intercepts that call, restores the original byte that is patched with CCh code, then hooks INT 1 (tracing) and traces the file. While tracing the virus skips 256 or more instructions, then waits for JMP or CALL instruction, and overwrites that JMP/CALL with JMP_to_virus code. Then the virus encrypts itself, and saves to the file end.
As the result the virus writes the JMP_to_virus code into the file middle, and the header of the file is not modified.
The virus different conditions while infecting the files to prevent corruption, but anyway it may corrupt the file while infecting them. While infecting the hard drive the virus destroys the C: drive system date, if the hard drive contains 20 or less sectors per track.
The virus does not manifest itself in any other way, it contains the text string:
Nexiv_Der takes on your files

NextGen.2304

Description NextGen.2304

It is a harmless memory resident parasitic stealth virus. It hooks INT 21h, 2Fh and writes itself to the end of EXE files that are accessed. It contains the text strings:
The NextGen Stealth Virus
IL USA, 6-93all(Revision)

Home