Blava.787
Description Blava.787
Blava.787 is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself at the end of COM-files that are accessed. It contains the internal text string:
BLAVA 3.0 by RGB
Check other viruses! Be aware! Use Antiviral Software
PM.733
Description PM.733
It is a harmless memory resident stealth parasitic virus. It hooks INT 21h and writes itself to the end of .COM files that are executed or closed. When an infected file is opened, the virus disinfects it. The virus contains the ID-strings:
PM
PM_Wanderer.3684
Description PM_Wanderer.3684
This is a protected-mode resident parasitic polymorphic virus named after the text string in its code:
WANDERER,(c) P. Demenuk
The virus infects COM and EXE files (except COMMAND.COM) that are executed or opened. While infecting a file the virus writes itself to the beginning of COM files and to the middle of EXE files (between EXE header and EXE module). The original file code/data is saved to the end of the file.
When an infected file is executed, the virus copies itself to extended memory, switches the system to protected mode and hooks INT 1 (tracing) and INT 9 (keyboard) interrupts. As a result the virus cannot be visible by standard DOS anti-virus or memory browsing utilities.
To hook DOS calls Execute and FileOpen the virus uses i386 debug features. It sets one of the i386 debug breakpoint to the address of INT 21h handler. As a result when control is passed to the INT 21h handler, i386 generates INT 1 call and the virus takes control.
The virus looks for some specific code in the DOS memory (some anti-virus?) and patches its code. The virus does not install itself memory resident if there is no EMS memory available. When MS Windows is run the virus turns off i386 debugging and restores it after Windows finished on the first keystroke (INT 9). The virus is not bug-free and in some cases it halted my test computer.
|