Virus Database

Win95.Repus.127.a

Description Win95.Repus.127.a

This is an extremely small parasitic Windows virus. It infects PE EXE files (Windows executable files) and writes its code to PE file header. The virus uses smart coding and tricks to optimize code size.
Win9x infector just 156-bytes of size, including text string:
Sexy.2000
This is the first known virus using a Windows caching mechanism to spread itself (a Windows cache is a buffering system that is used to speed-up disk-file access and keeps data that were read and written, including PE EXE files headers).
When an infected file is run, the virus switches from application mode to Win9x kernel mode (Ring3 -> Ring0), by using the Windows kernel function (VxD function), it enumerates Windows system cache blocks and looks for PE headers in there. The virus detects these cache blocks, inserts its code to there and marks these blocks as "dirty" (Windows will flush this block to a disk).
The infection routine does not separate Windows DLL and EXE files, and infects DLL libraries as well as applications. The infection routine is not bugs-free, and in some cases, it corrupts files while infecting them.
As a result of its infection mechanism, the virus has three very visible features.
1. The virus does not use any disk read/write functions - it just copies its code to a cache, and the infection (flushing infected data to a disk) will be completed by Windows.
Moreover, the virus uses just ONE single call to Windows functions to spread itself (it is the "enumerate cache" VxD function). No other functions are used by virus.
2. The virus is non-memory resident, but it is a fast infector - in a modern system, a Windows cache is large enough, and there are many data and code stored in there. So, there are many disk files (frequently used) stored in a cache, and the virus infects most of them.
3. By using "infection through chached data", the virus is easily able to infect any application including active ones that are locked for writing by Windows. The cached data is on a more deep level, and it is not protected by Windows. As a result, if file is run at the moment, and it is locked for writing, the virus still is able to modify (infect) it.

Check other viruses! Be aware! Use Antiviral Software

Ocean.2571

Description Ocean.2571

It is not a dangerous memory resident polymorphic parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. The virus does not infect files witch names begins with letters:
WIN, TB, COMMAND, NOD, AV

On start from infected file it checks the current time. If current hours number is equal to current minute, the virus decrypts and displays the message:
This is an Atlantic Ocean I Virus (C) 1997 by #13

If quantity of current second below than 10 it also displays the message:
Listen to Radio RAGTIME 106.6 FM! [and use MSDOS 95 to keep #13 alive]

The virus also contains the encrypted text strings:
Dedicated to the one I love
heuristics :-(, string check :-) This is [Atlantic Ocean I] by #13

Ocsana.692

Description Ocsana.692

This is a benign memory resident encrypted parasitic virus. When an infected file is executed, the virus hooks INT 21h and 28h, and stays memory resident. Then it intercepts the ChangeDir DOS call (AH=3Bh), sets its internal flag and upon the next INT 28h call, searches for .COM files, and infects them.
While infecting a file, the virus encrypts a file and shifts it down by 692 bytes, then writes itself to the beginning of the file.
On August 13, the virus decrypts and displays the following message:
Happy birthday, Ocsana!

Home