Virus Database

Win32.Mystery.2560

Description Win32.Mystery.2560

This is a memory resident parasitic Win32 virus. It replicates under Win32: stays in the system memory and infects PE EXE files that are run. While infecting, the virus writes itself to the file Fixup section if there is enough size. As a result, the file length does not grow while infecting. The virus infection routine has a bug and infected files in some cases cause a standard Windows message about an error in the application.
At midnight, the virus opens and closes the CD drive and displays the following message:
Mystery by Prudentor
You are infected with Mystery! ;-)
Nothing will be killed, keep cool.
To stay memory resident, the virus, upon first start, infects the EXPLORER.EXE file. The virus obtains its name by searching the active EXPLORER process in the system memory. The virus then terminates EXPLORER.EXE (to allow writing to the file), infects it and re-runs. As a result, the virus stays in the system memory as a component of Explorer, i.e., until Windows is shut down.
Then the virus operates in the background, looks for active processes, stores their file names and infects these files when the corresponding application exits (the file is not locked for writing then).

Check other viruses! Be aware! Use Antiviral Software

Ritzen Family

Description Ritzen Family

These are harmless memory resident parasitic viruses. They hook INT 21h and write themselves to the end of .COM and .EXE files that are executed or opened. They contain the text string "PAPA" and:
"Ritzen.1087,1098"
Dedicated to Ritzen, our Minister of Education and Science. We are getting
sick of your budget cuts so we hope that you get sick of this virus.. (c)
'93 by S.A.R. / TridenT

"Ritzen.1112"
Dedicated to Ritzen, our Minister of Education and Science. We are getting
sick of your budget cuts so we hope that you get sick of this virus.. (c)
'93 by S.A.R. (Students Agains Ritzen).

Rlyeh.1178

Description Rlyeh.1178

It is a very dangerous nonmemory resident encrypted overwriting virus. It searches for COM files, then overwrites them. The virus displays the text:
+----------------------+-------------------------------------------------------+
| _ | Ph'nglui mglw'nafh Cthulhu R'lyeh wagn'nagl fhtagn. |
| /\___[X]___/ | In his house in R'lyeh dead Cthulhu waits dreaming. |
| / /| +-------------------------------------------------------+
| / / / | This virus demonstrates interrupt trapping, anti- |
| /\/ | |/ // | heuristic code, EXE/COM determination, executable |
| || || | data statements, heap use, code length determination, |
| _|| ||_ | simple (XOR) encryption, and overwriting replication. |
+----------------------+-------------------------------------------------------+
| FOR DEMONSTRATIONAL AND EDUCATIONAL PURPOSES ONLY · NOT FOR PUBLIC RELEASE |
+------------------------------------------------------------------------------+
ERROR: No infectable files found!
ACTIVE: Infection in

Home