Virus Database

Win32.Cerebrus.1482

Description Win32.Cerebrus.1482

This is a direct action (nonmemory resident) parasitic Windows infector. It infects files of any new format - Windows formats NE (Windows 3.xx), PE (Portable Executable), as well as LX (Linear executable), but is able to replicate itself only under Windows32 because is has PE format and imports Windows32 functions.
When an infected file is executed, the virus takes control, searches for Windows .EXE files in current directory and writes itself to the end of the file. While infecting the virus does not modifies PE header at all, the infection way is based only on DOS Stub header: the virus writes to there new file offset of PE header (virus PE header). As a result the infected file has three parts: first part is original DOS stub, the second part is host PE data (not modified), third part is virus code and.
The virus has PE file structure: it contains PE header, section headers, import table, code and data sections. The modified DOS stub in infected files points to virus PE header instead of original ones. As a result, Windows32 while executing infected files reads and runs virus code instead of host one.
To return to host program the virus creates a copy of infected file with EVE extension, disinfects it (just restores file offset of PE header) and spawns. The virus do not deletes these "temporary" files, so after executing an infected program they stay on disk in the same directory as infected file.
The virus has a trigger routine that just beeps by PC speaker when virus takes control. The virus contains the text strings, the first one is block of names that the virus imports from KERNEL32 and USER32:
ExitProcess Beep GetCommandLineA CreateProcessA CopyFileA CreateFileA
SetFilePointer ReadFile WriteFile CloseHandle FindFirstFileA FindNextFileA
FindClose GetFileSize WinExec
MURKRY/IkX
CEREBRUS
The three head guardian, is in your computer, fear no more
*.EXE

Check other viruses! Be aware! Use Antiviral Software

Bishop.2855

Description Bishop.2855

These are dangerous not memory resident overwriting polymorphic viruses. They search for .COM-files and overwrite them. These viruses use several levels of decryption, some parts of code and data are encrypted six or more times. These viruses use several anti-debugging tricks. They contain the internal text strings and sometimes display some of them: "Bishop.2855":
STOP HERE!
CULO
We are waiting for..
A mutant BISHOP in this program
21-3-93, milan-PARMA : 0-1.
*.COM
-BISHOP-

"Bishop.4517":
WHY DEBUGGER?
PARMA CAMPIONE !!!!!!!!
ANOTHER YEAR
A mutant ROOK in this program
*.COM
- UAH UAH UAH! Non puoi fregare ROOK come fregasti BISHOP! -
- ROOK -
The ROOK virus !!!
Understand?
DECEMBER VERSION
A variant of the DECEMBER VERSION
+---+-----------------------+---+
ƒ R ƒ n ƒ b ƒ q ƒ k ƒ b ƒ n ƒ R ƒ
+---+---+---+---+---+---+---+---+
ƒ p ƒ p ƒ p ƒ p ƒ p ƒ p ƒ p ƒ p ƒ
+---+---+---+---+---+---+---+---ƒ
ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ
+---+---+---+---+---+---+---+---ƒ
ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ
+---+---+---+---+---+---+---+---ƒ
ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ
+---+---+---+---+---+---+---+---ƒ
ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ
+---+---+---+---+---+---+---+---ƒ
ƒ p ƒ p ƒ p ƒ p ƒ p ƒ p ƒ p ƒ p ƒ
+---+---+---+---+---+---+---+---+
ƒ R ƒ n ƒ b ƒ q ƒ k ƒ b ƒ n ƒ R ƒ
+---+-----------------------+---+

BitAddict.432

Description BitAddict.432

These are memory resident parasitic viruses. They hook INT 21h and write themselves to the end of the the files that are executed.
BitAddict.432,477
These are dangerous viruses. They copy their TSR copies into the video memory and infect only COM files. The 100th generation of the virus erases the disk sectors and displays:
The Bit Addict says:
"You have a good taste for hard disks, it was delicious !!!"

This viruses also contain the text:
BIT ADDICTMZ

BitAddict.512.a,b
These are dangerous viruses. "BitAddict.512.a" is encrypted one. On execution they infect the COMMAND.COM file. On installation they copy themselves into the system buffers and infect COM files that are executed.
"BitAddict.512.a" erases the disk sectors. It contains the text string:
Bit AddictCOMMAND.COM

The 100th generation of "BitAddict.512.b" erases the disk sectors and displays:
Bit Addict says:
"You have a good taste for hard disks, it was delicious!"

BitAddict.979,1190,1459,1601
Being executed these viruses search for the "COMSPEC=" string and infect the file that is pointed by that string, usually it is the COMMAND.COM file. On installation they copy themselves into the system buffers. Some of these viruses trace the INT 21h vector. Then these viruses infect COM and EXE files that are executed.
"BitAddict.1459,1601" erase the disk sectors, other viruses are harmless ones. They contain the text strings:
"BitAddict.979": COMSPEC=BIT ADDICT 2.00
"BitAddict.1190": COMSPEC=BIT ADDICT 2.10
"BitAddict.1459": COMSPEC= 12/19/91
"BitAddict.1601": COMSPEC=Bit Addict Version 3

Home