Virus Database

Bog.233.a

Description Bog.233.a

It's a harmless not memory resident parasitic virus. It searches for Windows EXE-files and infects DOS-part of them. It does it by quite interesting method. It uses the fact, that a lot of Windows EXE-files have a DOS part of code. That code is executed if the Windows EXE is started under DOS. Usually these DOS parts of code have the same format in different Windows EXE-files. These parts contain the warning message like "This program requires Microsoft Windows." and several assembler instructions that display this message and return the control to DOS. Usually these instructions are:
MOV AH,9
INT 21h ; display the message
MOV AX,4C01h
INT 21h ; return to DOS

This virus reads the first 80h bytes of the DOS executable code (below the EXE header) and checks it for "WIN" or "Win" string. If that string is found, the virus starts to search for the assembler instructions listed above. If that code is present, the virus writes into the file 233 bytes of own code from last INT 21h instruction:
MOV AH,9
INT 21h ; display the message
MOV AX,4C01h
CALL $+3 ; virus code starts here

On execution from MS-Windows infected files works as usually, on execution from DOS it displays standard Windows' warning message and then the virus starts to work.
The also virus contains the internal text string:
BOG (C) '93 by GROG - Italy

Check other viruses! Be aware! Use Antiviral Software

Leda.820

Description Leda.820

This is a relatively harmless, memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of COM files that are accessed. From 6 until 11 in November, depending on the system time, it displays the following message and halts the PC:
Masz wirusa LEDA (BDv3.0) , (c) B.D. 27.V.1994
P.S. Dzieki dla autora wirusa FLOOR 1153

Leech.1024

Description Leech.1024

These are memory resident encrypted viruses. They hook INT 21h and write themselves into COM files that are executed or closed. If the first instruction of the file is a JMP (E9h or EBh), then the virus inserts itself into the file middle at the address to where JMP instruction points, else the virus writes itself to the beginning of the file. While infecting the virus uses undocumented System File Table.
Depending on the current time "Leech.1024", "Glist.1014" and "Tazta.1008" display the messages and erase the sectors of the root directory of the current drive:
"Leech.1024": The leech liveall
"Leech.Tazta.1008": Super, Super! ... March 1993, Tazta.
"Leech.Glist.1014": Mr.Tapeworm May 1996 The GLIST

"Leech.Warrier.768" is a harmless virus. It contains the text:
The WARRIER!

Home