Virus Database

Win95.Dupator.1503

Description Win95.Dupator.1503

This is a harmless memory resident parasitic Win32 virus. It infects Win32 PE EXE files and also infects KERNEL32.DLL Windows system files. The virus does not manifest itself in any way. Because of a bug, the virus does not work on WinNT machines.
While infecting a file, the virus creates a new PE section at the end of the file and writes its code to there. In the case of applications, the virus then modifies a program's start-up address, and in the case of KERNEL32.DLL, the virus patches the export table (see below). The virus section in infected files has the "DUPATOR!" name, and this string may be used for manual detection of the infected files.
When an infected program is run, the virus takes control and infects the KERNEL32.DLL file. To do this the virus copies this file from the system Windows directory (where this file is located by default) to the Windows directory, for example:
WINDOWSSYSTEMKernel32.Dll -> WINDOWSKernel32.Dll
WINNTSYSTEM32Kernel32.Dll -> WINNTKernel32.Dll

and infects this copy. While infecting, the virus patches the KERNEL32.DLL Export table so that the GetFileAttributesA function points to the virus code in the infected KERNEL32.DLL file. The virus then returns control to the host program and is not active anymore.
The virus infection routine is then activated only when an infected KERNEL32.DLL is loaded into the Windows memory (upon the next Windows start-up). The GetFileAttributesA function points to virus code, so the virus does not need to perform any additional actions to stay in the Windows memory - it stays memory resident as a part of KERNEL32.DLL and hooks the file-attributes reading routine. When this call is performed by any applications, the virus infects corresponding file in case it has PE EXE format.

Check other viruses! Be aware! Use Antiviral Software

Beep.2000

Description Beep.2000

Beep.2000 is a not dangerous memory resident parasitic virus. It hooks INT 08h, 21h and writes itself at the ends of the COM- and EXE-files are executed. Sometimes it beeps by the internal speaker.

Beer.3399

Description Beer.3399

These are not dangerous memory resident encrypted parasitic viruses. They hook INT 21h and write themselves to the end of COM- and EXE-files that are opened or executed. From 1992 they manifest themselves by sound effect and dysplay the message in Russian.
Some of the "Beer" viruses are dangerous ones, on opening they overwrite some files with the text in Russian, the file names to overwrite are:
DISKDATA.DTL
VIRUSES.INF
A-DINF-_.___ [NOTE "_" not displayable in HTML]
DIRINFO
-V.MSG

These viruses contain/display the messages:
"Beer.3399":
Lozinsky! I know you to be old beer drinker.
How about a mug of beer or two?
It would be amazing to meet you at our beer party.
You are welcome at Solntsevo railway station
About 17.00 p.m. every friday and wednesday.

"Beer.3490":
AIDS617.EXE
EGA - text mode demonstration
Copyright (c) by Wadim 1990.
I love you ,Ann !ANNA
Wadim S.

"Beer.3522":
DISKDATA.DTL VIRUSES.INF A-DINF-_.___ DIRINFO REPORT.WEB REPORT.TXT
ADINF-C.LOG ADINF-D.LOG ADINF-E.LOG ADINF-F.LOG ADINF-G.LOG CHKLIST.MS
AVPTSR.EXE -D.COM -D3.COM VSAVE.EXE ANTI4US.EXE F_PROT.LOG

Home