Virus Database

Win32.Harrier

Description Win32.Harrier

While infecting a PE EXE file the virus parses its internal file format, creates one more section at the end of the file and writes its encrypted text to there. The virus section is continued by the virus' Export table that is used by virus to link its code with necessary Windows API functions when an infected file is executed. Because the virus has its own Export table, it modifies the pointer to it in the PE header. The virus also pays special attention to original host file's Export table. To save it the virus moves necessary data from it to the file end and appends it to its own Export table. As a result when Windows loads infected files, it processes both virus and host Export tables.
To link its section with victim file body the virus modifies necessary fields in the PE header. The virus does that very accurate, and as a result in most of cases does not cause errors when infected files are loaded, ever under WinNT.
The virus detects already infected files by a stamp that is saved in file LastWrite date and time stamp. This ID value is not constant and depends on other fields of file's time&date (the virus Rol/Ror/Xor-es five of them to caclulate the ID).
Trigger routines
While installing memory resident the virus calls three of its trigger routines. First of them checks system environment and depending on it turns the virus to the "debug mode". The second one depending on the system time's seconds value displays the MessageBox:

The last one depending on the virus random counter (that depends on the system date and time), in one case of sixteen, drops the OEMINFO.INI and OEMLOGO.BMP files to the Windows system directory. The OEMLOGO.INI file contains the following text strings in two sections:
[General]
Manufacturer=TechnoRat
Model=Very large life zone for Harrier

[Support Information]
line1=Today the virus is not the virus,
line2=but the part of operating system. . .
line3=(C) by 95-th Harrier from DarkLand
line4=---
line5=The pretty LOGO picture was created
line6=by PolyGris and LionKing. Main idea
line7=and code of all versions was developed
line8=by me - TechnoRat

This BMP file and "General" sections are shown in "System Property" window when MyComputer/Properties is selected. The virus "Support Information" is displayed when corresponding button in the same "System Property" is pressed.

The virus "debug mode" is activated when the system environment contains a specific string ("Variable=Value", is set by "SET=" DOS instruction, for instance). This string has 19 symbols and is detected by the virus by using a silly CRC loop. This CRC loop "compresses" the string to four bytes, so there are several millions "readable" variants of this string.
When virus debug mode is on, it displays the message box:

The virus then on each infection displays a MessageBox and informs requests permission to infect a file, for example:

On "OK" the virus runs infection routine, on "Cancel" the virus displays one more MessageBox and exits:

As it is mentioned above, the USER32 and GDI32 hooks are used by virus in its trigger routine - the virus changes the texts that are displayed, or outputs its own messages.
When an infected application calls to WinHelpA function on the 16th time, the virus displays its own MessageBox instead of calling Windows function:
"95-th Harrier from DarkLand"
God will help! ;-)

On any MessageBoxA call the virus checks system time and depending on it replaces original text in MessageBox with one of six variants:
System malfunction!
VXDs rings overcrossed!
CPU mode thunking error!
CPU overclocked, cooler device emergency!
Help subsystem is damaged!
Attention! Bugs inside computer, use SoftIce.

On other hooked calls the virus scans the text for four variants of substrings and replaces them with its own versions:
MICROSOFT -> MIcrOSOFT
WINDOWS -> WINDOwS
BILL GATES -> Gill Bates
HARRIER -> Oh! Guys! Is it about me?

Check other viruses! Be aware! Use Antiviral Software

Coup.1957

Description Coup.1957

This is very dangerous memory resident multipartite virus. When an infected file is executed, the virus infects the MBR of the hard drive and then returns to DOS. While loading from infected MBR the virus cuts a block of the system memory, copies itself to there, hooks INT 13h, 1Ch and returns control to the original MBR code.
By hooking INT 13h the virus realizes a stealth routine while accessing to the infected MBR. By hooking INT 1Ch (timer) the virus waits for DOS loading process, hooks INT 21h and then writes itself to the end of .COM and .EXE files (except COMMAND.COM) that are executed. The virus checks the file names and corrupts several anti-virus scanners: SCAN, MSAV, PART*, CLEAN, VSAFE, TOOLKIT, GUARD, FINDVIRU. The virus overwrites them with a trojan program that displays the message:
Coup De Main : In Childhood taught me to Love
Now that I Love Frenzied,Said me Forget !!!

Coup.2052.a

Description Coup.2052.a

This is very dangerous memory resident multipartite virus. When an infected file is executed, the virus infects the MBR of the hard drive and then returns to DOS. While loading from infected MBR the virus cuts a block of the system memory, copies itself to there, hooks INT 13h, 1Ch and returns control to the original MBR code.
By hooking INT 13h the virus realizes a stealth routine while accessing to the infected MBR. By hooking INT 1Ch (timer) the virus waits for DOS loading process, hooks INT 21h and then writes itself to the end of .COM and .EXE files (except COMMAND.COM) that are executed. The virus checks the file names and corrupts several anti-virus scanners: SCAN, MSAV, PART*, CLEAN, VSAFE, TOOLKIT, GUARD, FINDVIRU. The virus overwrites them with a trojan program that displays the message:
Coup De Main : In Childhood taught me to Love
Now that I Love Frenzied,Said me Forget !!!

Home