Virus Database

Win32.Evol.a

Description Win32.Evol.a

This is a family of parasitic polymorphic per-process memory resident Win32 viruses. When an infected file is executed, the viruses run an infection routine as a separate thread that searches and infects files in the background up to the moment the host program exits.
The viruses infect Win32 PE executable files with .EXE and .SCR extensions. First of all, they infect EXE and SCR files in the Windows directory and subdirectories. Then they scan all fixed drives on a local machine and infect files in there. Then they scan and infect remote drives, then they enumerate network resources (shared network drives) and infect them also. As a result, the viruses are able to infect most Win32 executable files on a local machine as well as spread themselves through the local network.
Before infection, the viruses check a file name and do not infect the following anti-virus programs: ALERT, AMON, AVP, F-PROT, NAV, SCAN.
While infecting, the virus gains a file entry routine address, moves a block of code from there to the end of the file and writes its code to the file's entry routine address. To release control to the host file, the virus reverses infection: reads host block of code from file end and puts it to the original file entry address.
The viruses use quite a complex polymorphic engine that in some cases rebuilds the virus code. In different infected files, there are different assembler instructions or other sets of instructions used to do the same operations. As a result, the virus is not encrypted, but it doesn't have enough long constant parts of code and the length of virus code is changed.

Check other viruses! Be aware! Use Antiviral Software

Chigi.2197

Description Chigi.2197

This is a relatively harmless memory resident stealth parasitic virus. It hooks INT 13h and 21h, and writes itself to the end of COM and EXE files that are accessed. The new handler INT 13h hooks read-sector functions. If a sector contains the following strings:
Adinf, Ìîñòîâîé
the virus erases this sector. The virus also contains the following text strings:
#"," *9.1ChigiVarez Lives SomeWhere in Net all
Dina v3.2

Chill.544

Description Chill.544

It's a dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM-files that are accessed. It formats hard drive sectors. It contains the internal text string:
[CHiLL TOUCH] You cannot touch these phantoms

Home