Virus Database

Win32.Resur.a

Description Win32.Resur.a

This is a relatively harmless per-process memory resident parasitic virus. When an infected file is executed, the virus takes control, runs its infection thread (process) and returns control to the host file. The virus thread then is active in the background of the parent (host) process, scans subdirectory trees on all available drives and infects PE EXE files in there.
The virus uses a complex method of infection way: it processes a victim file structure and incorporates its code to the file. The virus body itself is a standard PE EXE file with four sections: code, data, resources and fixup (relocation) table. Depending on the victim file structure, the virus either adds all its sections to the victim file body as separate sections, or appends some of its section to the existing ones. The virus then makes necessary changes in the victim file headers - modifies program start-up address, section numbers, section addresses and sizes.
Resur.a,c
The virus contains text strings that in some cases are displayed by the virus:
I already told you this butall
Warning! Don't close this window
Win32/Resurrection by Tcp/29A
Hey you, stupid
29A
Resur.b
Tist is a remake of original virus. Instead of displaying the message (see above), it forces the installed Internet browser to open the Web site "http://sennaspy.tsx.org". The virus also contains the following text string:
Senna Spy Fenasoft 2000 Virus
Resur.d
This virus is encrypted. To decrypt its code when an infected file is run, the virus uses a very unusual way. While infecting files, the virus modifies the program Image Base and generates special data in the Relocation Section (Fixup section). As a result, when the program is being relocated to real addresses in Windows memory, the relocation procedure decrypts the encrypted virus code.
This virus contains the text:
Win95/SVK by Tcp/29A

Check other viruses! Be aware! Use Antiviral Software

MadWill.2400

Description MadWill.2400

MadWill.2400 is a not dangerous memory resident parasitic stealth virus. It hooks INT 21h and writes itself at the end of COM- and EXE-files (except COMMAND.COM) that are accessed. On execution under DOS lesser than 3.0 it displays the message:
This program requires MS-DOS version 3.30 or later.

It contains the internal text strings:
The Stainless Steel TechRat, Version 1.0, 2.03.94,
(C) 1993-94 by MadWill International, Moscow, Russia
WYSINWYG (What you see is NOT what you get)
Thanks to H. Harrison
COMMAND.COM .EXE
Story 1 : The Stainless Steel TechRat is Born

Mag Family

Description Mag Family

These are harmless memory resident parasitic virus. They copy themselves into the Interrupt Vectors Table, hook INT 21h and write themselves at the end of .COM-files that are executed. They do not manifest themselves in any way.

Home