Virus Database

Voronezh Family

Description Voronezh Family

Voronezh.370 and 600
These are memory-resident, harmless parasitic viruses. "Voronezh.600" is partly encrypted (50 bytes, XOR DDh). They hook INT 21h, and write themselves to the beginning of .COM files that are executed. "Voronezh.370" does not infect COMMAND.COM. While infecting a file, these viruses also encrypt a part of the original file code (XOR BBh).
The viruses do not manifest themselves in any way, and have no destructive functions. "Voronezh.600" contains the encrypted (XOR 1Ah) text:
Oleynikoz S.,1990
Voronezh.650
This is a harmless, memory resident parasitic virus. It hooks INT 21h, and infects COM files that are executed in the same way as the "Voronezh.600" virus does. Upon being executed, the virus, with probability of 1/60, displays the following message:
Video mode 80x25 not supported
The virus also contains the following text written in Russian: "16.01.91, v1.00, Õèìèê è Ñëîí (Chemist & Elephant.)
Voronezh.1600
This is a dangerous, memory -esident virus. It hooks INT 21h, and infects files that are executed or opened. COM files are infected in the same way as "Voronezh.600" infects files.
EXE files are infected according to quite a complex algorithm. The virus overwrites five bytes of a file's entry point with Jmp-Virus instruction (CALL FAR Loc_Virus), and does not modify the CS:IP fields in EXE header. To fix relocated addresses, the virus reads and pathces an EXE-relocation table, and includes one more element to this table.
The virus has some errors: it does not analyze more than 640 elements of the relocation table; when the modified element of the relocation table points to the 5th byte of the entry, this is not supported (i.e., the word, being adjusted upon file loading, is situated on the border of the 5 bytes being modified). As such, if a file is run, the computer might halt the system.

Check other viruses! Be aware! Use Antiviral Software

Reboot.715

Description Reboot.715

This is a dangerous nonmemory resident parasitic virus. It searches for .COM files of the subdirectory tree, then it writes itself to the end of the file and writes to the beginning of the file the Jmp-Virus commands (MOV AX,FFF0h; JMP Loc_Virus). Depending on the system time the virus reboots the computer.

RedArc.327

Description RedArc.327

These are dangerous nonmemory resident encrypted parasitic viruses. They search for COM files in the current directory, then write themselves to the end of the file. The viruses use such complex anti-debugging and anti-detection tricks that this may halt the computer, some of them also may corrupt the files while infecting them.
Depending on the system timer the "RedArc.623,665" viruses manifest themselves by a video effect. The viruses contain the text strings:
"RedArc.390,415,600": RedArc // [TAVC]
"RedArc.623": -=* Red Arc *=-
"RedArc.1000":
DemoFraud by RedArc // [TAVC]
SGWW, DVC, FotD, SOS group, TAVC, CiD

Home