Virus Database

Win95.Caw.1262

Description Win95.Caw.1262

This is a dangerous memory resident parasitic Win95/98 virus. When an infected program starts, the virus gets control, switches itself from application level (Ring3) to Windows kernel (Ring0), allocates a block of Windows memory, hooks file-access functions (IFS API) and stays "memory resident" as a system VxD driver. The virus then intercepts file opening function and writes itself to the end of PE EXE files that are opened. While infecting a file, the virus increases the last file section and writes itself to there.
The virus has a bug, and in some cases, corrupts files while infecting them. When such files are run, they cause a standard Windows message about an error in application.
The virus has two very dangerous payloads. 1. on July 7th upon each file opening, the virus erases 16 sectors at random positions on the C: drive.
2nd: if the current minutes are 0, the virus deletes the files that are being opened: WINWORD.EXE, and files with extensions: BMP, JPG, DOC, WRI, BAS, SAV, PDF, RTF, TXT. This "feature" can be "customized": if there is a file "C:AW", the virus gets "sacrificial" file names and extensions from this file, and deletes them. The name of this file was the reason for naming the virus.

Check other viruses! Be aware! Use Antiviral Software

Gift.553

Description Gift.553

These are not dangerous memory resident parasitic viruses. "Gift.724" is encrypted. They hook INT 21h and write themselves to the beginning of COM files that are searched. While installing memory resident the viruses allocate a 64Kb block of DOS memory that may decrease the system performance.
The most interesting feature of these viruses is their structure: it follows the standard ZIP archives binary format. The beginning of virus code is very similar to ZIP header, and to the end of infected files a block of data is written that is similar to ZIP "end-of-archive" data. Despite on this, when infected files are run, these data are executed as a sequence of legal assembler instructions that pass control to the main virus code. As a result, the infected files can be not only executed as DOS programs, but also can be accessed as ZIP archives. These "archives" contains just one file named "SMF_Gift.com". Being "extracted" this file is the same as original contents of infected file.

Gigi.1283

Description Gigi.1283

These are dangerous memory resident encrypted parasitic viruses. They hook INT 21h and write themselves to the end of .COM files that are executed. The viruses do not infect the files: VSAFE.COM, COMMAND.COM, WIN.COM. They have bugs and install themselves two and more times in the system memory, as a result in some time the system halts.
The viruses contain the text strings:
SUCKER
.COM VSAFE COMMAND WIN

"Gigi.1449" contains the texts:
Gigi Euristicu' v1.0 * RoMaNiA
Only COM infector but a new generation is comeing all
Copyright [C] 1996-97 Elecktronick RAT & Pink Phanter
Special thanks to GikuABS (Ps!ko)
Who's General Failure and what's he doing on your HD ?

Home