Virus Database

Win32.Giri.4919

Description Win32.Giri.4919

This is a dangerous per-process memory resident Windows virus. It affects Windows executable files only (PE EXE). While infecting the virus increases size of last file section, writes its code to there and modifies "program entry point" address and other necessary fields in the PE header.
When an infected file is executed, the virus searches for EXE files in current and Windows directories, and infects them. The virus then hooks six Windows file access functions (file searching and opening), stays in Windows memory as a part of host file's code, and infects files that are accessed. The virus is able to hook the Windows functions only in case the host program uses them (imports them from Windows kernel). The "life-time" of resident virus copy depends on the host program run: when it is terminated, the resident virus code is terminated too.
Depending on its random counter the virus may disable one of its direct infection or installation routines, but in any case the virus will either search and infect files, or install its TSR copy, or both.
When an infected program is run, the virus checks system date and in three months the program was infected, it randomly runs one of its four effects.
Effect1: the virus creates the C:GIRIGAT.BMP file, writes a BMP image to there, and registers this file as Windows wallpaper.
Effect2: the virus randomly changes mouse cursor position. This procedure does not exit, and the application halts.
Effect3: the virus displays the "System Info" window where copyright texts are modified in following form (in case of Windows95 is installed):
Microsoft + Girigat.4937
Windows 95
Copyright (c) 1981-1995 Microsoft Corp.
(C) 1998-1999 Mister Sandman

Effect4: as well as in Effect2 the virus goes to dead loop in which it opens and closes the CD drive, that may cause hardware damage, if the virus will do that for long time (overnight).

Check other viruses! Be aware! Use Antiviral Software

Marine.5000

Description Marine.5000

This is a very dangerous memory resident encrypted stealth parasitic virus that hooks INT 21h and 25h, and writes itself to the beginning of COM and EXE files that are accessed. While infecting, the virus encrypts the original beginning of the file.
On June 5th and 21st, the virus disables the FindFirst DOS call while searching for files on floppy disks. As a result, DOS shows nothing on them. In June on Saturdays, the virus overwrites .PAS and .CPP files with the text:
There is nothing in the world that I ever wanted more than to never feel
breaking apart all my programs again.

In June the virus displays the text "BCE HA MOPE !!!" ("LET'S GO TO SEA !!!") and manifests itself as a video effect (displays images of the sea, sun, a beach and moving yacht). When this effect is run, the virus encrypts the disk sectors.
The virus also contains the text strings:
COMMAND.COM
.COM.EXE.PAS.CPP
I`m the Ghost V1.2. Check. Your move, Mr.AntiVirus ! My author`s
coordinates are:Sun system, Earth, Europe, Russiall 2B continued... The
more we know,the less we show.

Mario Family

Description Mario Family

These are memory resident parasitic viruses. They hook INT 18h, 21h and write themselves to the end of EXE files that are executed or opened.
"Mario.661" also infects the files that are renamed. This virus has the bugs, and may corrupt the files while infecting them. It contains the text string:
Mario Genius

"Mario.746" displays:
Joannie Tomczykall
Mario Genius
(c) 02.95.

Home