Virus Database

Urphin.1621

Description Urphin.1621

It is not a dangerous memory resident parasitic virus. It hooks INT 21h, 28h and writes itself to the end of COM and EXE files. It infects EXE files that are executed. COM files get infection only on FindNext ASCII DOS call and only on a floppy drive. The virus does not infect the files: *AI?.*, *WEB?.*, *ES?.*, *RA?.*.
When the TPC.EXE file is executed (TurboPascal compiler), the virus also intercepts .PAS files opening (Pascal source files), searches for "BEGIN" line in these files (subroutine header) and writes to there its hexadecimal dump with necessary Pascal instructions. When .PAS files are closed, the virus removes its hex-dump from Pascal source files. As a result, when source Pascal files are being compiled, the virus inserts its code into these files, and the result executable files become the virus droppers.
The virus contains the text strings:
BEGINbegin
URPHIN
ASM
END;

Check other viruses! Be aware! Use Antiviral Software

Dementia.4207

Description Dementia.4207




Dementia.4207 is a not dangerous, memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM- and EXE-files that are executed or opened. The virus contains the internal text strings:
!#TEMP#!
REQUEST.IVA
RECEIPT.IVA
CALLFAST.COM
*.*
Dementia] Copyright 1993 Necrosoft enterprises - All rights reserved
I am the man that walks alone
And when I'm walking a dark road
At night or strolling through the park
When the light begins to change
I sometimes feel a little strange
A little anxious when it's dark

On opening of any ZIP-file, the virus scans the contents of the ZIP-file for the REQUEST.IVA file. If there is no such file inside of the ZIP archive, the virus creates the CALLFAST.COM file, writes into there the video-effect routine, infects CALLFAST.COM and appends this file to the files stored in the ZIP archive.
Thus, the virus "infects" ZIP-files, which, after "infection" contain an infected copy of the virus.
If there is a REQUEST.IVA file in the ZIP-archive, and if this file also is in a special format (ID-string 92h,14h,76h,17h, and one or more file search patterns) the virus creates a file called RECEIPT.IVA, searches for the files which are listed in the REQUEST.IVA file, copies them into RECEIPT.IVA, encrypts the result, and stores it into the ZIP.
Thus the virus is able to "steal" files from the computer and save them into the ZIP containing the special REQUEST.IVA file.
While processing the ZIP-files the virus does not call the PKZIP/PKUNZIP utilities, but parses by itself the internal ZIP-format, reads/writes the ZIP-records and adds new ones. While writing new data into the ZIP-files, the virus does not use compression, but writes it in not compressed form (ZIP-method "stored").
The virus dropper (the CALLFAST.COM file) contains the routine which displays the following text on execution:
DEMENTIA
(512)PRI-VATE ú 0 day wares ú V-X
800 megs online ú USR Dual 16.8k
-- Psychotech <Image> -/-

Demig.16354

Description Demig.16354

This is a harmless multipartite virus. It infects DOS, MS Windows and MS Office (Excel) files:
DOS: the virus infects COM, EXE and BAT files
Win32: PE EXE files and KERNEL32.DLL library
MS Office: creates Excel "virus dropper" file
The virus itself it Win32 PE EXE program and is able to perform all its functions only being run under Win32 environment. Other infected components are "virus droppers". That means that the virus cannot spread directly from infected file, but uses a trick to drop its Win32 copy from it. When an infected DOS file is run, or affected Excel sheet is opened, the attached virus routine creates the C:DEMIURG.EXE file, extracts Win32 virus code to there and spawns that file. The main virus routine gets control then.
The virus is memory resident under Win32. The affected KERNEL32.DLL hooks file access functions (file opening, copying, moving, accessing file attributes) and infects COM, EXE and PE EXE files that are affected.
While infecting a file the virus writes itself to the end of the file. In case of DOS COM, EXE and BAT files the virus converts them to "droppers". In case of Win32 PE files the virus infects them with its main code, and the virus is able to spread directly from infected file without creating additional files.
To infect Win32 KERNEL32.DLL module the virus uses a trick. That file is permanently used by Windows, and is locked for writing as a result. While infecting the virus copies that file from system Windows directory (where that file is placed by default) to Windows root directory and infects that copy, for example:
C:WINDOWSSYSTEMKERNEL32.DLL - original file in system directory
C:WINDOWSKERNEL32.DLL - infected copy in Windows root directory
When Windows is restarted, it looks for KERNEL32.DLL library first in root Windows directory, then in system directory, and it gets infected library instead of original (clean) one.
To affect MS Excel the virus creates its complete image (in text format) in C:DEMIURG.SYS file, then gets its location from system registry and creates the DEMIURG.XLS file in there. This XLS file contains a short macro subroutine in there that will complete the job. On next start MS Excel will automatically accept that file and ctivate "Auto_Open" subroutine in there. That subroutine will get complete virus code from the C:DEMIURG.SYS file, convert it to binary PE EXE C:DEMIURG.EXE file and spawn it. The main virus code gets control as a result.
While affecting MS Excel the virus also disables VirusProtection Excel option.
The virus doesn't manifest itself in any way. It contains the "copyright" text string:
[The Demiurg] - a Win32 virus by Black Jack
written in Austria in the year 2000

Home