Virus Database

Win32.Shaitan.3390

Description Win32.Shaitan.3390

It is a dangerous nonmemory resident parasitic Windows32 virus. It searches for PE EXE Windows32 files (Portable Executable) in current directory, the directory trees on C: and D: drives and infects not more than five found files. While infecting the virus writes itself to the end of the file. It increases the size of last file section, writes itself to there and modifies the PE header including the entry point address. The virus has bugs and Windows32 often terminates the infected files run with standard Windows error message.
To access Windows32 API functions to search for files and infect them the virus scans Windows kernel, gets the address of GetProcAddress function and then gets addresses of other functions:
GetProcAddress GetModuleHandleA CreateFileA CreateFileMappingA
MapViewOfFile CloseHandle FindFirstFileA FindNextFileA FindClose
SetFilePointer SetEndOfFile GetCurrentDirectoryA SetCurrentDirectoryA
GetWindowsDirectoryA GetCommandLineA UnmapViewOfFile GetFileAttributesA
SetFileAttributesA GetDriveTypeA

This procedure seems to work correctly under both Windows 95 and Windows NT, but because of other bugs the virus halts the system under Windows NT.
The virus also contains the text string, they are encrypted in infected files:
Win32.Shaitan (c) 1998 The Shaitan [SLAM]
This virus was written in the city of Mumbai

Check other viruses! Be aware! Use Antiviral Software

Fair Family

Description Fair Family

These are not dangerous memory resident encrypted parasitic viruses. They hook INT 21h and write themselves to the end of COM and EXE files that are accessed.
Fair.2083
While executing some file (the virus checks the beginning of the file), the virus displays the message:
This is an [ illegal copy ] of KeyPress virus remover
System Halted

This virus also contains the text:
Eternal Fair

Fair.2340
This virus does not infect the files SCAN.EXE and COMMAND.COM. When the virus intercepts the access to an already infected file, it increases its internal counter. When that counter reaches 800h, the virus displays:
Time Machine, Running.

Fair.2083

Description Fair.2083

It's a not dangerous memory resident parasitic encrypted virus. It hooks INT 21h and writes itself to the end of COM- and EXE-files that are accessed. On execution of some file (the virus checks the beginning of the file) it types the message:
This is an [ illegal copy ] of KeyPress virus remover
System Halted

This virus also contains the internal text: "Eternal Fair".

Home