Virus Database

Win95.Voodoo.1537

Description Win95.Voodoo.1537

It is a harmless memory resident encrypted parasitic Win32-virus. It stays in the Windows memory and depending on the system events searches for files in the "C:Program Files" and other directories and infects them. While infecting the virus increases the size of last file section, encrypts and writes itself to there and modifies the program's entry address in the file header. Because of a bug in its infection routine the virus is not able to replicate under WinNT, but under Win95 only. The virus does not manifest itself in any way, it contains the author's "copyright" text:
Star0 - Magic Voodoo

When an infected file is executed, the virus decrypts itself, scans the KERNEL32.DLL code and gets the addresses of necessary Windows API functions (GetSystemTime, CreateThread, FindFirstFileA, FindNextFileA, and other). The virus then allocates a block of system memory, copies itself to there and hooks ExitProcess function. To hook it the virus also scans KERNEL32.DLL code and patches it with virus hooker address.
The virus also uses multitasking features: the virus ExitProcess handler gets control directly from Windows kernel, but the infection routine does work as a thread. When an infection routine takes control, it delays for 5 seconds and then searches for PE EXE files in the directory tree and infects them.

Check other viruses! Be aware! Use Antiviral Software

Rape.500

Description Rape.500

This is a dangerous memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of the COM files that are executed. It erases the disk sectors, and then decrypts and displays the following:
DataRape! v1.0
(C)1991 Zodiac
RABID, USA

Rape.575

Description Rape.575

This is a dangerous non-memory resident encrypted parasitic virus. It searches for COM files of the current and root directories, and writes itself to the end of the file.
Sometimes it decrypts and displays:
Pray for death - RABID '91
On the 13th of every month, it displays:
Rage - RABID Int'nl Development Corp.
By Data Disruptor - Thanks to Zodiac
and erases the disk sectors. It also contains the texts: "Patricia Boon", "*.COM".

Home