Virus Database

Tula96.1997

Description Tula96.1997

It is a very dangerous memory resident parasitic stealth virus. It hooks INT 21h and writes itself to the end of COM files that are executed or closed. On reading from infected files the virus calls its stealth routine. On writing to infected files the virus disinfects them. Depending on number of successfully infected files (starting from 55555) the virus formats floppy disk. The virus contains encrypted text string:
Tula -96

Check other viruses! Be aware! Use Antiviral Software

Lemena.3544

Description Lemena.3544

It is not a dangerous memory resident parasitic polymorphic virus. It copies itself to the video memory at address BC00:0000, hooks INT 22h (Terminate call), returns control to host program, waits for termination and hooks INT 21h. To hook INT 21h the virus patches the DOS kernel. The virus then writes itself to the end of COM and EXE files that are executed, opened or accessed by Get/Set File Attributes DOS call.
To hide itself in the system memory the virus uses a quite complex way. When any program is executed, the virus allocates a block of XMS memory, moves its code to there, then copies its INT 22h handler to DOS kernel (the virus looks for a cave in there). The virus then releases INT 21h, hooks INT 22h, erases its TSR copy in the video memory and releases control. As a result, when any program (including anti-viruses) are active, there are no virus code in the DOS memory. The main part of virus code (encrypted) is placed in the XMS memory, and INT 22h handler is "waiting" for the Terminate call to restore "status quo" (move virus code from XMS to the video memory and to re-hook INT 21h).
The virus also uses anti-debugging tricks as well as on-the-fly encryption: the virus decrypts its subroutines before calling them, and encrypts after return from subroutine.
The virus does not infect anti-virus programs -V.EXE, ADINF, AIDSTEST, AVP, CPAV, and so on according to the string (two letters per name):
-VADAIAVCPDRF-FIGUIMIVMSNAPCSCSPSSSVTBTOV-VAVSWE

The virus deletes the anti-virus databases: ANTI-VIR.DAT, AVP.CRC, CHKLIST.CPS, CHKLIST.MS, CHKLIST.TAV, CRC.SVS, FILES.VVL FINGERP.VVF IM.PRM IVB.INI, IVB.NTZ, MSAV.CHK, SMARTCHK.CPS, AV.CRC, BOOT.CPS, BOOT.MS, BOOT.NTZ, BOOT.TAV, IV.INI, PART.NTZ
According to its random counter the virus displays the texts:
LEMENA'97
BOKEPH'97

The virus also contains the text strings:
TBDRVXXX
[LEMENA'97] by Bokeph from Batavia, Indonesia
[MENA]

Lemming.2029

Description Lemming.2029

These are not dangerous memory resident parasitic encrypted stealth viruses. They trace and hook INT 21h and write themselves to the end of COM and EXE files that are executed or closed. When an infected file is opened, these viruses disinfect it. These viruses check the file name and do not infect several anti-virus programs according to the string:
TBAVTBSCANNAVVSAFEFPROT

They search for ThunderByte anti-virus in memory and hack it. While executing some anti-virus programs these viruses hook INT 1Ch and check the flow of these programs.
They also contain the text strings:
TBDRV
You Will Never Trust Anti-Virus Software Again!!
COMcomEXEexe
Packed file is corrupt

and:
"Lemming.2144": ThunderByte-1994-Australia. ver 1.0
[HiTMaN]
"Lemming.2151,2160":
The Rise and Fall of ThunderByte-1994-Australia.
[LEMMING] ver .99ß

"Lemming.2247" contains the strings:
Choise virus ver 1.0 !!!!!!!!!!!!!!!!!!!!!!!!!!!
(c) Copyright 1996 by Gurre in Moscowall
DRWEBAVPAIDSTESTVSAFEFPROT
COMcomEXEexe

Home