Virus Database

WinHLP.Demo

Description WinHLP.Demo

This is the first known "native" Windows32 HLP files infector, it does function and replicate as a Windows Help script embedded in help file structure (the first known virus affecting Windows HLP files was the "Win95.SK" infector).
When infected HLP file is opened, the Windows Help system processes virus script and executes all functions placed there. By using a trick the virus forces Help system to execute a specially prepared data as binary Windows32 program, these data are included in one of instructions in the virus script. These data themselves are the "start-up" polymorphic routine that builds the main infection routine and executes it. The infection routine is a valid Windows32 procedure, and it is executed as a Windows32 application.
When infection routine takes control, it scans Windows kernel (KERNEL32.DLL image loaded in Windows memory) in usual for Win32 executable files parasitic infectors, and gets addresses of necessary Windows functions from there. The infection routine then looks for all Windows Help files in the current directory, and infects them all.
While infecting the virus modifies internal HLP file structure, adds its script to the "SYSTEM" area, converts its code to polymorphic start-up routine and includes it into the script.
Before run its infection routine, and when infection is finished, the virus displays the MessageBoxes:
HLP.Demo
Trying to infect
HLP.Demo
Script comes to end!

Check other viruses! Be aware! Use Antiviral Software

Pages Family

Description Pages Family

These are not dangerous memory resident parasitic viruses. They hook INT 1Ch, 21h and write themselves to the end of .COM files (except COMMAND.COM) that are accessed. They contain the text string "COMMANDO-3". They manifest themselves with the video tricks: they change the video pages or "shake" the screen.

Palm.Phage

Description Palm.Phage

This is the first known virus infecting PalmPilot applications. The virus has an "overwriting" infection mechanism, and affected applications do not work anymore.
The Pilot applications (.PRC files - "executable files" in DOS/Windows terms) are standard Pilot databases with a special "application" resource inside. When an application is run, the "application" resource is activated and performs its functions. There is a set of system "library routines" that the Pilot applications can use to access system resources and other database resources.
When the virus starts, it opens its own file and reads its DATA and CODE resources from there, then it simply searches for all other "application" databases in the system and overwrites their DATA and CODE resources with the virus'. The affected application then has virus DATA and CODE resources in it.

Home