Virus Database

VCode Family

Description VCode Family

VCode.1633
It is a harmless memory resident parasitic virus. It hooks INT 9, 21h and writes itself to the end of EXE files that are accessed. While installing memory resident the virus opens CONFIG.SYS file, searches for "SHELL" and "COMSPEC=" strings and infects the command interpreter. When Alt-Ctrl-Del keys are pressed it scans Environment area and also infects command interpreter. The virus contains the strings:
COMMAND.COM
SHELL
Program made in UV januar 93
CONFIG.SYS
COMSPEC=

VCode.1886,2540
These are dangerous nonmemory resident parasitic viruses. They search for .EXE files and write themselves to the end of the file. Depending on the current date they erase the disk sectors. They contain the text strings:
"VCode.1886": .93 all.........[[[ S C A N N E R ]]]
"VCode.2540": COMMAND.COM X:CONFIG.SYS

VCode.2246,2262
These are not dangerous memory resident parasitic viruses. They hook INT 21h and write themselves to the end of COM and EXE files that are accessed. While installing memory resident they open CONFIG.SYS file, search for "SHELL" string and infect the command interpreter. Depending on their internal counters these viruses hook INT 8 (timer) and sometimes change the keyboard flags.

Check other viruses! Be aware! Use Antiviral Software

PM_Wanderer.3684

Description PM_Wanderer.3684

This is a protected-mode resident parasitic polymorphic virus named after the text string in its code:
WANDERER,(c) P. Demenuk

The virus infects COM and EXE files (except COMMAND.COM) that are executed or opened. While infecting a file the virus writes itself to the beginning of COM files and to the middle of EXE files (between EXE header and EXE module). The original file code/data is saved to the end of the file.
When an infected file is executed, the virus copies itself to extended memory, switches the system to protected mode and hooks INT 1 (tracing) and INT 9 (keyboard) interrupts. As a result the virus cannot be visible by standard DOS anti-virus or memory browsing utilities.
To hook DOS calls Execute and FileOpen the virus uses i386 debug features. It sets one of the i386 debug breakpoint to the address of INT 21h handler. As a result when control is passed to the INT 21h handler, i386 generates INT 1 call and the virus takes control.
The virus looks for some specific code in the DOS memory (some anti-virus?) and patches its code. The virus does not install itself memory resident if there is no EMS memory available. When MS Windows is run the virus turns off i386 debugging and restores it after Windows finished on the first keystroke (INT 9). The virus is not bug-free and in some cases it halted my test computer.

PMBS

Description PMBS

It's a dangerous memory resident boot virus. On loading from infected disk it copies itself into extended memory, switches the PC into protect mode and run virtual V86 machine. The DOS and applications will be executed under that virtual PC. It hooks all interrupts (from 0 till FFh) and checks the critical situation. On critical situation on reading the floppy it infects it (the MBR of hard drive is infected on loading from infected floppy). On other critical situation it displays one of the messages and hangs the computer up:
Unimplemented Interrupt:
Offending instructions:
General Protection Fault:
Offending instructions:
Offending CS:IP:

This virus contains the internal string "PMBSVIRS" also. PMBS is a stealth virus. It checks the ports input/output (by using protect mode 386 features) and corrects the data which is for output on reading infected MBR.
This virus contains several errors, including the error of principle. The programmer's bug is the infection of the floppy. The virus saves on floppy the part of itself only, not all code. The virus consist of two parts of code - the code which is executed in real mode (on loading and on infection then the virus jumps to V86 mode), and the code of protected mode. The virus doesn't save the code which is executed in protected mode. The second generation of the virus will hang up.
The problem of principle is using of infected i386 as i86 only. The virus can't let switch i386 in protected mode again. So, EMS386, QEMM386, MS-WINDOWS e.t.c. will not work. Moreover, the DOS command MEM will hang up infected PC. It's because this program checks extended memory also, and the virus stops it.

Home