Virus Database

Win32.Ruff.4859

Description Win32.Ruff.4859

It is a dangerous memory resident parasitic Windows virus. When an infected file is run, the virus scans Windows kernel, gets addresses of necessary Windows functions, installs its resident copy in the Windows memory and returns control to the host program. The virus resident copy then infects PE EXE files that are executed. To intercept files execution the virus hooks the CreateProcessA Windows function.
While infecting a file the virus creates a new section named "Ruff" at the end of the file, writes its code to there and modifies program's startup address and other necessary fields in file header.
To install itself memory resident the virus performs several actions. First of all it lists all active process and looks for EXPLORER copy active in the memory. It then looks for SHELL32.DLL module in EXPLORER process' memory, scans its Import tables and gets address of CreateProcessA imported function. The virus then writes a small routine (168 bytes) to the top of EXPLORER process memory (to the addresses that are occupied by DOS EXE stub). Later this routine will complete virus installation.
The virus then patches the address of CreateProcessA import in the SHELL32.DLL module memory so that this call will go directly to the virus 168-bytes routine. (Note: in both cases the virus writes its routine and patch to the process memory, not to the disk files).
The virus then creates the C:SWAP file and writes its "pure" code to there. When the CreateProcessA 168-bytes hooker gets control (on any program execution), the virus completes its installation: it allocates a block of Windows memory, reads its code from the C:SWAP file (it is deleted then), and resets CreateProcessA hook to there.
As a result the virus code is placed in a block of EXPLORER's memory, and it hooks the CreateProcessA function.
The virus pays attention to the AVP and DrWeb anti-virus programs. While installing itself into the memory the virus looks for AVP and DrWeb processes and kills them. When AVP or DrWeb programs are executed, the virus deletes all files in directories where these files are run.
The virus has bugs and fails to infect the Win95 memory, and replicates only in Win98 and WinNT. The virus contains the text strings:
We are the Ruffest !
(c) Charly

Check other viruses! Be aware! Use Antiviral Software

Cholera Family

Description Cholera Family

These are dangerous memory resident parasitic viruses. They hook INT 21h and write themselves to the end of .COM- and .EXE-files that are executed. They infect some files incorrectly, these files halt the system on execution. Depending on the system time these viruses also hook INT 08h and delay on each timer tick. They contain the internal text strings:
"Cholera.a": Cholera v1.0 by dr Hellraiser 94-02-03
"Cholera.b": Cholera v2.0 by dr Fleischman 93-12-29

Chris.463

Description Chris.463

It's a not dangerous memory resident parasitic virus. It copies itself into the interrupt vector table, hooks INT 21h and writes itself to the end of .COM-files that are executed. Sometimes it decrypts and types the message: "Mary,all. ti AMO!". It also contains the internal text string: "", the word "inf" is placed at the end of infected files.

Home