Virus Database

Vinnitsa Family

Description Vinnitsa Family

These are dangerous memory resident encrypted parasitic viruses. They trace and hook INT 21h, then they write themselves to the end of COM and EXE files that are accessed. They corrupt .DBF files, depending on their internal counters they erase the disk sectors. They contain the text strings:
Vinnitsa 1992 year
Hacker all country, united!!!

Check other viruses! Be aware! Use Antiviral Software

RDA.Fighter

Description RDA.Fighter

These are dangerous memory resident polymorphic parasitic viruses, "RDA.Fighter.7408" is multipartite one. They trace and hook INT 21h, and write themselves to the end of COM and EXE files that are executed, opened or renamed. They also encrypt the randomly selected part of the host files.
While executing an infected file, "RDA.Fighter.7408" infects MBR of the hard drive. On loading from infected disk it hooks INT 8, and when DOS is loaded it hooks INT 21h. That virus uses very polymorphic engine, it allows to generate the sequence of decryption loops (up to 16 ones) - the first decryption loop decrypts the virus body and the code of other loops, and passes the control to the second loop - and so on. So the body of the virus is encrypted several times according to the number of decryption loops.
These viruses use the error correction algorithm to prevent the debugging, and the correction of the virus body. During virus installation procedure if the virus code is traced, the viruses erase the disk sectors.
The viruses contain the text strings:
"RDA.Fighter.5871": RandomDecodingAlgoritm 1.0
"Stealth Fighter PART I" devoted MSU!
"RDA.Fighter.5969": RandomDecodingAlgoritm 1.1
"Stealth Fighter PART I (1.1) for ALL."
"RDA.Fighter.7408": "RandomDecodingAlgoritm 2.0"
"PhantomPolymorphicMultiLayerEngine 1.2"
"Stealth Fighter 2.0 : New Aggression."

"RDA.Fighter.7408" displays the last string.
After installation the viruses restore the code of the host program by using the data ("host data") has been saved on infection. While restoring of the host program they decrypt the part of the host code has been encrypted on infection, restore the header of COM file and pass the control to the host program. The most interesting feature of these viruses is the fact that after decryption of the virus body the host data is still not decrypted because it is encrypted twice on infection. The algorithm of such additional encryption is selected randomly - the virus selects random number of instructions (up to 16 ones) from 16 variants of encryption commands (XOR, SUB, ADD, ROL, ROR, NEG, e.t.c.). There may be 65535 (FFFFh) variants of such encryptor. On infection the virus encrypts the host data by using that method, but does not save corresponding decryption routine to restore the host data.
To decrypt the host data the virus generates the decryption routine by random selecting from the same 16 encryption commands, and tries to decrypt the host data. If the host data is not decrypted (the virus calculates and checks the CRC sum) the virus generates the next decryptor, decrypts the host data, calculates and compares CRC and so on up to the moment when the host data appears in original form. It may take some time ever on fast computers.

Realize.498

Description Realize.498

It is a harmless nonmemory resident parasitic virus. It searches for .COM files and writes itself to the beginning of the file. The virus contains the text string:
WHAT? I gotta die before you [realiZe] I was a nigga with open eyes.Dont
you hear the guns you stupid, dumb,dicksuckin, bum politicians![realiZe] -
THE LOST FREEDOM / SWEDEN

Home