Virus Database

Win95.Prizm.4428

Description Win95.Prizm.4428

This is a very dangerous memory resident parasitic polymorphic Win9x virus. It infects PE EXE files (Windows executable files) with .EXE and .DLL filename extensions. The virus resident copy infects files that are accessed by Windows (opened or run). When run from an infected file, the virus also looks for applications that are run, obtains their file names, and tries to infect them as well.
While infecting, the virus writes itself to the end of a file, and modifies the entry point routine address and necessary PE header fields. The virus also writes an "SpAm" ID-string to a field in the PE header.
To stay memory resident, the virus switches to Windows kernel mode (Ring3->Ring0), allocates a block of system memory, and copies itself there. The virus then hooks a DOS interrupt INT 21h chain, IFS API calls and system broadcast messages.
An INT 21h hook is used by the virus only for the "Are you here?" call to detect its already active memory resident copy, and to avoid double installation. An IFS hook routine intercepts file-opening system calls, and infects Win32 EXE and DLL files that are being opened.
The broadcast-message hooker detects whether a CD drive gets a new disk. In this case, the virus tries to perform a "write data" command to an inserted disk. It seems the virus intends to destroy disks on CD-writers, but this routine seems to have a bug, and CD disks should not be destroyed.
On the 1st, 11th, 13th, and 26th of each month upon each infected program run, the virus erases a randomly selected sector on each logical drive (overwrites it with virus code), and displays a BSoD (blue screen) message:
Virus Win9x.Chazhma(Chernobil2)

Made by SpAmC0der->[PRiZM]->Vladivostok->Russia

Battle of life. Capital!!!
to be continuedall Win32.Kursk2000

Check other viruses! Be aware! Use Antiviral Software

Indonga.2125

Description Indonga.2125

This is a very dangerous memory resident encrypted parasitic virus. It hooks INT 21h, and writes itself to the end of COM and EXE files. Depending on the system date, the virus corrupts the CMOS, or plays some data by a sound blaster, or returns to DOS instead of the host program.
This virus infects all files that are executed except COMMAND.COM. On September 22 and 24, it erases the disk sectors and displays the following message:
PINDONGA Virus. (Hecho en ARGENTINA)
Programado por: OTTO (16/9/77)
Saludos a: MAQ-MARIANO-SERGIO-ERNESTRO-COSTRA
PD: Alguien mate a Bill Gates (El WINDOWS SE CUELGA)

Indonga.3652

Description Indonga.3652

This virus also hooks INT 20h and 2Fh and infects COMMAND.COM as well as COM and EXE files that are accessed.
On September 16, February 25, March 21, and August 27, it erases the disk sectors and displays:
PINDONGA Virus V5.6. (Hecho en ARGENTINA)
Programado por Otto (16977)
Saludos a MAQ-MARIANO-SERGIO-ERNESTRO-COSTRA-PABLIN
PD: Alguien mate a Bill Gates (El WINDOWS SE CUELGA)
PINDONGA Virus (Programado por OTTO en ARGENTINA) 16977.
Depending on the system conditions, "Indonga.4010" erases the hard drive sectors and displays:
+-----+
|SARIN|
|VIRUS|
+-----+
|HECHO|
| POR |
|-NOP-|
+-----+

Home