Win95.Vlades.29696
Description Win95.Vlades.29696
This is the Win95 parasitic virus infecting PE EXE files combined with password stealing trojan horse ("PSW trojan"). The virus is written in Delphi programming language and has a component written in Assembler, the virus length is about 30Kb. The virus neither manifest itself in any visual way nor damages data on drives, but infection routine has bugs that cause corruption for some EXE files. The virus was named after the encoded text string "VladBEST" found in its code.
When an infected file is executed, the virus extracts its "pure code" as a standalone PE EXE file that is then stored in Windows SYSTEM directory with KERNEL.DLL name, and then executed. There is no such name in standard Windows installation, it has KERNEL32.DLL instead - the virus disguises its presence by using such tricky name.
Being run from KERNEL.DLL the virus stays in Windows memory as a hidden application, searches for PE EXE files in Windows directory, then in all directories on all available drives from C: till Z:, and infects PE files there.
While infecting the virus writes its code as two blocks. The first block is a very short piece of Assembler code that is written to the end of first file section, if there is a gap of enough size. This code receives control when infected file is executed, installs and runs the "pure" virus code (see above). The seconds block is the 30Kb virus code itself. It is written to the last file section, and the virus increases the size of this section while infecting a file.
The password stealing ability is activated only in case the Russian localization package is installed. The virus then collects confidential information from the system and sends message to the wladic@chat.ru Interned address.
Check other viruses! Be aware! Use Antiviral Software
Bach.498
Description Bach.498
It's a dangerous not memory resident parasitic virus. It searches for .COM-files and writes itself at their ends. Depending on current date it hooks INT 13h and sometimes redirects information that are read or saved to disk. It contains the internal text string: "J.S. Bach by TXQ".
BachKhoa.3544
Description BachKhoa.3544
This is a very dangerous memory resident encrypted parasitic virus. It uses anti-debugging tricks in its code. When an infected file is executed, the virus hooks INT 21h, stays memory resident and then writes itself to the end of COM and EXE files that are accessed.
The virus deletes the anti-virus and other data files: CHKLIST.MS, CHKLIST.CPS, FILESIGN.SAV, FILE_ID.DIZ. On November 25 it also erases the hard drive sectors. It contains the text strings:
Ha Noi University of technology
Your PC was infected by BACHKHOA virus
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
Geforce Graphic Cards
Apartments In Toronto
Urlaub In Galizien Spanien
Lebensversicherung Informationen
|