Virus Database

Win95.MrKlunky

Description Win95.MrKlunky

This is a resident (VxD) Win95 infector. To infect the system and files the virus uses a method that is similar to the "Win95.Punch" virus. When an infected file is executed, the virus creates the MRKLUNKY.VXD file on disk, writes its VxD dropper to there and registers it in system environment. While booting Win95 will load this VxD and leave it in memory. Virus VxD hooks IFS API calls and infects PE EXE files that are opened.
While infecting a PE EXE file the virus creates new section "MrKlunky" in there, patches PE header and writes its code to the end of the file. To separate infected and not infected files the virus writes the double-word 00F00F00h to the EXE header at offset 28h.
The virus has bugs and in some cases fails to infect EXE files - it writes its code to the end of file, but does not modifies Entry Point address. To call file access function the virus searches for their original addresses in Win95 kernel. This way is not clear, and these calls may cause system error messages.
The virus creates the C:LOG.LOG file and while infecting a file writes its name to this log.
The virus contains the text strings, majority of them are the names of standard Win95 functions that are accessed by this virus:
MRKLUNKY
MrKlunky.VxD KERNEL32
CloseHandle CreateFileA FlushFileBuffers GetLastError GetSystemDirectoryA
GetWindowsDirectoryA SetEndOfFile WriteFile ADVAPI32 RegCloseKey
RegCreateKeyExA RegSetValueExA
Start SYSTEMCurrentControlSetServicesVxDMrKlunky
StaticVxD GetProcAddress GetModuleHandleA MRKLUNKY MRKLUNKY_DDB

Check other viruses! Be aware! Use Antiviral Software

Khizhnjak.306

Description Khizhnjak.306

These are nonmemory resident parasitic viruses. They search for .COM file(s) of current directory and write themselves to the end of the file. Some of these viruses search for the files of current directory of A: and C: drives.
These viruses are the results of the publication of the book "Writing virus and anti-virus" by mr.Khizhnjak. He published the commented listing of nonmemory resident COM virus, and the viruses of "Khizhnjak" family are the modifications of that virus.
They manifest themselves by different manners: some of them are harmless, other display the messages or/and erase CMOS, disk sectors and files.
The messages are:
"Khizhnjak.834": Mason Hardkiller (C) 1995. (XAPïAHOB-âÇä)all
"Khizhnjak.ASV": Alexander S. Virus ! "SUKA ver 1.0
"Khizhnjak.Genesis": !!!GENESIS THE BEST BAND IN THE WORLD!!!
"Khizhnjak.Hallo": Hallo! I have got a virus for you!
"Khizhnjak.Happy": "Don`t worry,be happy!"

Khizhnjak.Areg
These are not dangerous viruses. With the probability 1/8 they display the text message in Russian. They also contain the text string:
(C) 1993 AREG Soft

Khizhnjak.DeathLord
These are dangerous viruses. Depending on the current time and date they erase the screen, hook INT 1Ch and delay on every timer tick, delete the files. These viruses display the messages:
"Khizhnjak.DeathLord.752": Death Lord.So I dub thee Unforgiven.
"Khizhnjak.DeathLord.933": Created by Death Lord

Khrusha.1505

Description Khrusha.1505

It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed. In some cases it displays the message in Russian. It also contains the text string:
Khrusha

Home