Virus Database

Win32.Santana.1104

Description Win32.Santana.1104

Win32.Santana is a memory resident parasitic encrypted Win32 virus. It affects PE EXE files (Win32 executable files) by writing its code to a file end and modifying necessary PE header fields. The virus does not manifest itself in any way. It contains the text string:
Virus "SANTANA" created by Net'$ Wa$te [RespawneD EViL]
When an infected file is executed, the virus gets control, decrypts itself and calls its main routine. That routine scans Windows kernel to get addresses of necessary file access functions and then checks system environment. Under Windows NT the virus then calls direct infection routine: it searches for all PE EXE files in the current directory, infects them and returns control to the host program.
Under Windows 95/98, the virus scans the VxD memory area and looks for a cave in there (zero bytes cave - not used area).. The virus copies its code to that cave, switches its process to kernel mode (Ring0), hooks SetCurrentDirectoryA Windows function (selecting a new directory) and stays in the system memory as a component of the Windows kernel. On selecting the new directory the virus runs its find-and-infect routine. Where there is no cave of reasonable size, the virus calls the direct infection routine in the same way as under Windows NT.

Check other viruses! Be aware! Use Antiviral Software

LuciferBoot.a

Description LuciferBoot.a

It's a not dangerous not memory resident boot virus. On loading from infected floppy it overwrites boot sector of C: drive, on loading from infected hard drive it overwrites boot sectors of B: drive. It does not save original boot sector and tries load DOS by itself. If there are not system files on current disk this virus displays: "Sys?". This virus does not hook interrupt vectors and does not install itself memory resident. It contains the internal text strings:
Lucifer
Lucifer Messiah -- ANARKICK SYSTEMS v6.1 (c)1990
Sys?

Lucy family

Description Lucy family

These are dangerous memory resident parasitic polymorphic viruses. They hook INT 21h and write themselves to the end of COM and EXE files that are accessed, except several anti-viruses and utilities (see the list below). While installing memory resident the viruses also scans the system memory for several anti-virus monitors and disable them.
The viruses have bugs and in some cases halts the computer. Under debugger "Lucy.5286" displays the message:
Hi, do you know that AndreaP is actually better than LucyV ?
Takze ak sa vam chce, tak to meno zmente. :-).
PS. Pochadzam[e] (ja i ona) z GJH. (mozno)
Press any key to reset.

The viruses also contain the texts:
* EMM386 *
COM EXE
TBMEMXXXTBCHKXXXTBDSKXXXTBFILXXXCOMMAND

"Lucy.5086":
COM EXE SCAN VSHIELD CLEAN FINDVIRU GUARD VIVERIFY
TB -V VIRSTOP NOD HIEW ICE AVG F-PROT CHKDSK DRWEB

"Lucy.5286":
SCAN VSHIELD CLEAN FINDVIRU GUARD VIVERIFY TB AVP
VIRSTOP NOD HIEW ICE AVG F-PROT CHKDSK DRWEB TD
scanning

Home