Virus Database

Win95.Padania

Description Win95.Padania

It is a harmless memory resident parasitic Win95 virus. It stays in the Windows memory, hooks system IFS API calls, intercepts EXE file opening and then writes itself to the end of the file and modifies file's header to get control when infected programs are executed. A short virus entry code is also written into file PE header.
The virus infects files in two ways depending on the file's structure. If the last section of the file is relocations ".reloc" section, the virus just overwrites it and erases relocation info in the PE header. Otherwise the virus adds one new section to the end of the file and writes its code to there.
To get control when infected file is run the virus also uses two ways: it either modifies the program's startup address, or patches the program's code with JMP_Virus instruction. In latter case the virus does not receive control immediately when an infected program is run, but only in case patched program's branch gets control.
To install its hooker into the Ring0 (VxD) Windows memory the virus uses the trick similar to "Win95.MarkJ" virus. It patches the PE sections so, that Windows95 loads virus code into the VMM Ring0 area instead of standard application's memory.
The virus does not manifest itself in any way. It contains the text strings:
Padania_Libera
by -b0z0/iKX-
Padania

Check other viruses! Be aware! Use Antiviral Software

RagDoll.942

Description RagDoll.942

It is not a dangerous memory resident parasitic virus. It copies itself into EMS memory, hooks INT 21h and writes itself to the end of EXE files that are executed. Being debugged the virus halts PC. The virus detects TBAV memory resident anti-virus monitor, and displays:
TbDriver, TBAV TSR utilities driver (C) Copyright 1992-94 Thunderbyte BV.
_ Program not supported.

The virus also contains the text string:
Rag Doll Virus by Sx (c) 1995 AeroSmith Rulze!!

Rager.1383

Description Rager.1383

These are dangerous memory resident parasitic viruses. They hook INT 21h and write themselves to the end of EXE files that are executed. On executing the LOGIN utility the virus depending on the system timer decrypts and displays the message, and then reboots the computer:
********** Warning ! **********
Novell NetWare report : Hardware A30 error detected.
Registers :
AX :2134 BX :3C23 CX :1841 DX :5421
CS :2451 DS :2023 ES :538A SS :6C8B
SI :46AE DI :94B4 SP :4541 BP :491C
Try restart file-server,if it will not give effect,
switch off your network and call trained service-people.
Press any key to restart this computer.

The virus also contains the text:
NetWare virus from Avenge (tm) family .
(C)Rager , Simferopol State University

Home