Virus Database

Win32.Driller

Description Win32.Driller

This is a per-process memory resident parasitic high-polymorphic Win32 virus. The virus infects PE EXE files that have .EXE, .SCR, and .CPL filename extensions. When run, the virus infects these files in current Windows and Windows system directories.
The virus also stays in the system memory as a component of the infected host program, gains access to KERNEL functions and intercepts 15 of them: file searching, opening, copying, moving functions, etc. When a PE EXE file is accessed by these functions, the virus infects it. As a result, the virus will infect all PE EXE programs that are accessed by the infected host program, and the virus will be active until the moment the host program exits.
While infecting a file, the virus encrypts its 8K code and is stored at the end of the file. Then the virus reads 8K of the victim file code, encrypts it and is also saved at the end of the file. That "cave" then is filled with virus polymorphic code that decrypts the main virus code and passes control there:
File infection
ã=============¬ ã==============¬
¦Header ¦ ¦Header ¦
¦-------------¦ ¦--------------¦ <---- Program entry address
¦Code section ¦ ---¬ ¦Polymorphic ¦
¦ ¦ ¦ ¦virus routine ¦ ----¬ Jump to main virus code
¦ ¦ ¦ ¦--------------¦ ¦
¦ ¦ ¦ ¦ ¦ ¦
¦-------------¦ ¦ ¦--------------¦ ¦
¦Data section ¦ ¦ ¦Data section ¦ ¦
¦ ¦ ¦ ¦ ¦ ¦
¦-------------¦ ¦ ¦--------------¦ ¦
¦etc. ¦ ¦ ¦etc. ¦ ¦
L=============- ¦ L==============- ¦
¦ ¦Encrypted ¦ <----
¦ ¦virus code ¦
¦ ¦--------------¦
L-> ¦Encrypted ¦
¦hist file code¦
L==============-


The virus' polymorphic engine contains bugs and in some cases, the virus cannot decrypt its code, causing a standard Windows message about an error in the application.
On Fridays, and depending on the system date, the virus replaces StartPage for MS Internet Explorer and Netscape Navigator with a reference to the Web site:
http://www.thehungersite.com
The virus contains the "copyright" text:
[Virus TUAREG by The Mental Driller|29A]
- This virus has been designed for carrying the TUAREG engine -

Check other viruses! Be aware! Use Antiviral Software

Stofi.998

Description Stofi.998

It is a dangerous memory resident partly encrypted parasitic virus. The virus hooks INT 21h and writes itself to the end of COM files that are executed or opened. It may corrupt the READ.ME files - the virus overwrites them with the message:
*Fuck you St Stöfi - world's biggest lamer !!!*

The virus also contains the text string:
comexeread.me

Stoned.a

Description Stoned.a
"Stoned" family. At midnight, this virus displays the following message:
IT'S MID NIGH

Stoned.Military
In November, this virus tries to format hard drive sectors.
Stoned.Million
This virus does not save the original floppy Boot sector and types "Non-System disk" while booting from an infected floppy. It overwrites the OEM message of the floppy Boot sector with the string "1000000".
Stoned.Near.a,b
These are stealth viruses. With the probability of 1/16 they will erase the MBR and displays the text:
Near Dark

Stoned.Nichols
Sometimes this virus displays:
[Nichols] by Apache

Stoned.Nov7
In October, this virus types a face symbol (01h ASCII) while booting, and on November 7, it erases the MBR.
Stoned.PC-AT
This is an encrypted virus containing the non-encrypted text string:
PC AT

= "heart" symbol
Stoned.Rostov
While booting from an infected floppy disk, this virus has the probability of 1/32 of eraseing eight sectors on the hard disk.
Stoned.Satria
Stoned family. It displays a picture.
Stoned.Scale
"Stoned" family. It saves the Boot sector of floppies and the MBR hard drive at the address 0/0/9 (track/cylinder/sector). Sometimes it plays a tune (scale).
Stoned.Scrlock
These viruses disable writing to the hard drive if the ScrollLock key is pressed.
Stoned.Scroll
It scrolls the screen if NumLock is pressed and ScrollLock is released.
Stoned.Sex.a,b
These viruses infect disks while accessing them (INT 13h, AH=2,3). They save the original sectors (boot and MBR sectors) at the addressed 1/0/3 (head/track/sector) for a floppy disk and 0/0/8 (or 0/0/7 according to its version) for the hard disk. While loading from an infected floppy disk, the viruses, with the probability of 1/8, display the messages:
"Stoned.Sex.a": EXPORT OF SEX REVOLUTION ver. 1.1
"Stoned.Sex.b": EXPORT OF SEX REVOLUTION ver. 2.0

Stoned.Spook
While infecting the hard drive, this virus writes 8 sectors to 1--9 sectors of the hard drive, and as a result, it can erase the system information. It contains a texts:
Spook 1.0
LIM

Stoned.Swedish
This virus displays the message "The Swedish Disaster".
Stoned.Torm
While booting from an infected disk, this virus, with the probability of 1/8, displays:
Repent for ye shall be tormentedall
Tormentor B - RABID Int'nl Dev. Corp. '91

Stoned.TurboManiac
On October 19, it displays:
The Turbo Maniac was here..

Stoned.WXYC
It infects boot sectors of the floppy disks and first boot sector (not MBR) of the hard drive. It contains the strings:
JAM WXYC
WXYC rules this roost!

Sometimes it displays the latter string.
Stoned.YMP
On the 1st of every month, it displays the message "HAVE A NICE DAY (c)YMP".
Stoned.Zappa
On December 4, it erases the disk sectors and displays:
Dedicated to ZAPPA...

Stoned.Zapped
This virus erases the disk sectors and displays the message:
ZAPPED YOU!

Home