Virus Database

TSM.5536

Description TSM.5536

It is a harmless memory resident polymorphic parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed, opened or when file attributes are accessed. The virus does not infect files that have digits, 'V' or '-' characters in names as well as SCAN and TBAV anti-virus programs. The virus also does not infect files with names IC* and DR*.
The main feature of this virus is that it was written in C with assembler in-line routines and it is polymorphic at the same time. As a result of C origin, the virus has standard structure for files that were compiled by Borland C compiler: C startup code is followed by virus code, C library routines and data segment.
+---------------+
|C startup code |
|- - - - - - - -|
|Main routine | <- virus code
|- - - - - - - -|
|C libraries |
|- - - - - - - -|
|Data segment |
+---------------+

When a file is executed, the startup code gets system parameters, allocates memory and fills variables that can be used by main program. The startup routine then passes control to main (virus) routine. When virus code takes control, it decrypts its code and C libraries by polymorphic decryption loop, allocates a block of memory, copies itself to there (including startup, libraries and Data segment), hooks INT 21h and returns control to DOS.
While infecting a file the virus runs its polymorphic engine, encrypts Main routine and C libraries, writes result to the end of the file and modifies EXE header to receive control when infected file is executed.
To return control to the host program the virus uses quite clever trick. The virus hooks Terminate DOS function. When virus completes installing into the memory and exits to DOS, the already installed memory resident virus copy intercepts that and redirects program flow to the host entry point address.
This virus is not standard polymorphic one because of not encrypted Startup routine, but it is not possible to detect the virus by using that fact: this or very closed startup code may be found in other non viral files that were compiled by the same C compiler. That may bring lot of false alarms.
The virus contains the text strings in its main code:
Dis quick test virus was written by The Soul Manager on 5/9/97
(Yes, yes, I *ADMIT* I should find something to do with a Friday night).
Greetz to Immortal Riot (from Australia).
I am, I am, I am

It also contains copyright string and error messages that Borland C compiler puts into EXE files:
Turbo C++ - Copyright 1990 Borland Intl.
Divide error
Abnormal program termination

Check other viruses! Be aware! Use Antiviral Software

SofiaTerminator.839

Description SofiaTerminator.839

These are parasitic viruses. Being executed they trace INT 13h, 21h, hook INT 21h and stay memory resident. They write themselves to the end of COM files that are accessed. They contain the text string:
Sofia 1993 by TERMINATOR

"Sofia_Terminator.839" is a dangerous virus. Depending on the system timer it formats several random selected disk sectors.
"Sofia_Terminator.887,889,1369" search at the end of the file for zero area 887/889/1369 bytes of length. If there is such area, the virus overwrites it. In this case the file length does not grow.
"Sofia_Terminator.1369" also infects EXE files. Depending on the system time it formats the hard drive sectors.

Sojourn.1369

Description Sojourn.1369

It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. It does not infect anti-viruses and utilities SCAN, CLEAN, F-PROT, GUARD, COMMAND, TB*. Depending on the system time it appends to the C:CONFIG.SYS file the instruction: "DOS=SINGLE".
The virus also contains the text strings:
^Have you ever been to Sweden?^
CLEASCANF-PRGUARCHKDCOMMTB
^VIRAL SOJOURN (c)96 Evil Elk^

Home