Virus Database

Uruguay Family

Description Uruguay Family

These are memory resident not dangerous polymorphic viruses. They hook INT 21h and infect COM- and EXE-files (except COMMAND.COM) upon their opening or execution. These viruses transform EXE-files to COM-format (see "VACSINA" family). These infectors infect the files at the file end or into the file middle. The length of infected files grow up to value divided by 13h ("Uruguay.2379") or 17h (other "Uruguay" viruses), "Uruguay.4268" increases the file length by 4269 bytes.
The viruses trace INT 13h, 21h during installation. Some of the "Uruguay" viruses insert 5 bytes of JMP FAR VIRUS instruction into the DOS INT 21h handle and hook INT 2Ah.
"Uruguay.4268" also hooks INT 9 (keyboard) and after the Alt-Ctrl-Del combination (warm reboot) it manipulates with interrupt vectors and memory allocation so that it will stay memory resident after warm reboot: it traces and sets to BIOS addresses the hardware interrupts 8, 9, 10h, 13h, 15h, 16h, 1Ah and 1Ch, disables HIMEM.SYS driver, decreases DOS RAM size (the word at the address 0000:0413), copies the own body into this cut area, hooks INT 8 and INT 9 and then generates INT 19h call (bootstrap loader). The loader reads and executes DOS files and the virus checks this (as it hooks INT 8) and sets INT 21h and INT 2Ah. So this virus will stay resident after warm reboot.
Manifestations: "Uruguay" viruses beep and display the messages:
"Uruguay.2313":
I love ROXETTE !!!
Virus 'Uruguay-#2'
Programmed in Montevideo (URUGUAY) by F3161. 04/92.
This is a research virus - DO NOT DISTRIBUTE.

"Uruguay.2379":
The BEATLEMANIA is alive!
THE BEATLES, for ever, the best.
John, Paul, George and Ringo, ladies and gentlemen, here they are!
PLEASE, PLEASE ME. WITH THE BEATLES. A HARD DAY'S NIGHT.
BEATLES FOR SALE. HELP. RUBBER SOUL. REVOLVER.
SGT.PEEPERS LONELY HEARTS CLUB BAND. THE BEATLES. YELLOW SUBMARINE.
ABBEY ROAD. LET IT BE. MAGICAL MISTERY TOUR.
Other LP and singles availableall
Virus 'Uruguay-#1'
Programmed in Montevideo (URUGUAY) by F3161. 03/92.
This is a research virus - DO NOT DISTRIBUTE.

"Uruguay.2456":
'Uruguay-#3' Virus
Programmed in Montevideo (URUGUAY) by F3161. 06/92.
This is a research virus - DO NOT DISTRIBUTE.

"Uruguay.2623":
'Uruguay-#4' Virus
Programmed in Montevideo (URUGUAY) by F3161. 07/92.
This is a research virus - DO NOT DISTRIBUTE.

"Uruguay.4268":
'Uruguay-#5' Virus
Programmed in Montevideo (URUGUAY) by F3161. 08/92.
This is a research virus - DO NOT DISTRIBUTE.

"Uruguay.4879":
'Uruguay-#6' Virus
Programmed in Montevideo (URUGUAY) by F3161. 11/92.
This is a research virus - DO NOT DISTRIBUTE.

"Uruguay.4906":
Uruguay-#9 Virus
Programmed in Montevideo (URUGUAY). 12/93.
This is a research virus - DO NOT DISTRIBUTE.

"Uruguay.6344":
Uruguay-#7 installed (seg=9CF8)
Uruguay-#7 Virus
Programmed in Montevideo (URUGUAY). 02/93.
This is a research virus - DO NOT DISTRIBUTE.

"Uruguay.6396":
Uruguay-#10 Virus
Programmed in Montevideo (URUGUAY). 05/94.
This is a research virus - DO NOT DISTRIBUTE.

These viruses also contain the text "COMMAND.COM.EXE".

Check other viruses! Be aware! Use Antiviral Software

Int13

Description Int13

It is a very dangerous memory resident parasitic stealth virus. It hooks INT 13h, 21h and writes itself to the beginning of COM files that are accessed with FindNext DOS function. The virus uses quite exotic methods of infection that might result in computer failure and lost of files.
While infecting the virus moves 512 bytes of the file beginning to the file end, writes itself to the beginning of the file, and exits infection without increasing the file length. As a result the original header of the file is out of the file's body, but the file is not corrupted.
To fix that problem the virus stores the physical (INT 13h) address of the sector that contains the original file header, and then while reading from the disk (INT 13h) the virus "shows" the sector with not infected file header instead of the real one. This is stealth algorithm at INT 13h level. So, DOS loads infected files as not infected ones when the system is infected with that virus.
To get the address of original file header the virus writes it to the end of the file by INT 21h call, DOS receives that call and translates it to INT 13h format, then the virus intercepts that INT 13h call and stores the values of corresponding registers (i.e. address of that sector).
While writing to the file the virus also uses INT 13h calls, so has not to handle file attributes, time, and write-protect error (INT 24h). The virus contains the string:
Int 13

Int5

Description Int5

This is not a dangerous memory resident parasitic virus. It hooks INT 5, 21h and writes itself to the beginning of COM files that are executed or opened. Periodically It prints the screen (INT 5).

Home