Virus Database

Volga Family

Description Volga Family

The "Volga" is a family of several viruses that are the variants of the most popular boot infector named "Stoned" virus. They have been discovered in the Volgograd State University in Russia. The first version of these viruses dated the July 1991, the last version - the end of April 1992. These viruses occupy one disk sector and one or two kilobytes of system memory depending on the virus modification.
On loading from infected hard or floppy drive the "Volga" viruses (as the standard "Stoned") install themselves into high addresses of system memory, then check the hard disk Master Boot Record for virus presence. If the MBR is not infected the viruses hit it. The original contents of MBR is encrypted and stored into one of not used HD sectors. The encryption algorithms are different in different modifications of VOLGA viruses. Then the viruses hook INT 13h and infect the floppy disk boot sectors. The original boot sectors are not stored - the virus overwrites their code.
These viruses use a new, dirty method which makes the hard drive not accessible after clean up procedure. It needs to run special restoration program to make the hard drive ready to work.
How does this occur? The viruses hook INT 13h (the physical disk access) and watch on the reading/writing operations. The virus use the fact that the standard and long formats of reading and writing are equal.
On sector writing by using standard function (AH=03h) the virus writes the sectors by one sector by using "write long sector" function. The consecutive writing by one sector is made for the reason that on reading/writing this virus pass the data through the virus' data area and for writing several sectors it's needed the large memory buffer. The size of that buffer is equal to the number of the bytes per sector multiplied by number of sectors are written.
On reading by standard read function (AH=02h) these viruses change that function for "read long sectors" function (AH=0Ah). That "long" operation reads both the standard (written by standard "write" function, AH=03h) and long (written by long function, AH=0Bh) sectors.
As the result the part of hard disk sectors appears in long format, there are the sectors which was been re-written. The another part of sectors stays in standard format. I.e. the map of hard drive sectors looks as the black-white chess board: the one or several standard sectors, then one or several long ones, again several standard ones e.t.c.
If the virus is memory resident all the disk sectors are read as usually, but after disinfection of the memory part of the virus or after removing the virus from sector and loading from not-infected disk all the long sectors do not stay available. It happened because the standard INT 13h read function can't read the long sectors. After loading from CLEAN disk the hard drive is not accessible! But after loading from INFECTED disk the hard drive stays ready to work.
It's needed to run special procedure to recover the damaged disk sectors. That program must read all the hard drive sectors in succession by using standard INT 13h reading (AH=02h) till the sectors are red normally. When the program finds the bad sector it must read the sector by long read INT 13h operation (AH=0Ah) and if the reading happens correct then it re-writes the sector by using standard INT 13h writing (AH=03h).
It needs a lot of time to recover all the sectors of hard drive that is hit by the VOLGA virus - from several minutes till hours depending on disk size and speed of accessing.

Check other viruses! Be aware! Use Antiviral Software

MDS.331

Description MDS.331

It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are executed. It contains the text string:
MDS93

Mecdon.1470

Description Mecdon.1470

This is a relatively harmless non-memory resident encrypted parasitic virus. It searches for EXE files in the current drive subdirectory tree, then writes itself to the end of the file. On Tuesdays, the virus displays the following message:
+---- Virus Warning : ----+
| I HATE mans who CAN`T do |
| anyfing USEFUL MallCDON`T |
| LET to do it for OTHERS. |
+--------------------------+

Home