Virus Database

Tibet.1422

Description Tibet.1422

It is a dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of .COM files that are executed. While opening a file the virus compares the file name extension with the list:
TXT FBD PAM GOL PLH TAD COD SAP GRP

Then the virus appends to the end of such files the text message:
Free Tibet! Fucking Chinese!

The virus also contains the text strings:
Please do something for the freedom of Tibet which
is occupied by the fucking Chinese money harvesters!
txtTXTfbdFBDpamPAMgolGOLplhPLHtadTADcodCODsapSAPgrpGRP

Check other viruses! Be aware! Use Antiviral Software

PK.4096

Description PK.4096

It is a dangerous memory resident polymorphic and stealth parasitic virus. It writes itself to the end of COM and EXE files. The virus infects files that are copied to A: or B: floppy disks. While installing memory resident it also searches for files on C: drive and infects them. Depending on its random counter it also infects COM files with "Small.66.b" parasitic COM virus.
The virus uses several level of encryption. The first level is polymorphic, the second level uses anti-debugging tricks, the third level is on-the-fly encryption - main part of virus code is encrypted at any time. In case of need the virus decrypts its subroutines, calls them and then encrypts with new key. The virus also uses other anti-debugging tricks, some of them are incorrect. As a result the virus does not work on Pentium PC.
The virus is memory resident, but it does not leave its TSR copy in the system memory - it encrypts and saves its code to the reserved sectors on the hard drive (on the first track), copies 200 bytes of its INT 21h handler to DOS data area (at address 0054:0000), hooks INT 21h and returns control to host program. In case of need INT 21h handler reads complete virus code from hard drive to video memory, then decrypts and calls it. To hook INT 21h the virus patches the DOS kernel.
The virus intercepts several DOS functions: Execute, Read, Write, Seek, Create, Close, FindFirst/Next, Get File Date&Time. All these hooks except Execute and Create/Close are used by virus in its stealth routine. When the ADINF.EXE program is executed, the virus cancels it, then displays random letters followed with the message:
Divide overflow

When COM and EXE files are created on A: or B: drives, the virus stores file handles and infects these files on closing.
The virus contains the text strings:
JESUS CHRIST SUPERSTAR
(C)PK 10/94

Pkunk.1586

Description Pkunk.1586

It is a harmless nonmemory resident partly encrypted parasitic virus. It searches for COM and EXE files, then infects them. While infecting the virus uses one of four possible methods: infecting COM files to the file end or header, infecting EXE to the file end with two possible methods.
The infection method is selected by the virus depending on the system and software installed on the system. The virus looks for DOS*, WIN*, GAM*, QWE* directories on the C: drive, and depending on their presence selects the infection method.
The virus contains the text string:
[PKUNK v1.0] (c) Wet Milk

Home