Virus Database

WinNT.Infis.4608

Description WinNT.Infis.4608

It is a memory resident parasitic WinNT virus. It operates under WinNT only and is not able to infect files under Win9x systems. The virus does not manifest itself in any way and does not any harm to the system. Despite this the virus has a bug in its infection routine and corrupts some files while infecting them, the corrupted files when run cause the standard "is not a valid Windows NT application" error message.
The virus stays in WinNT memory as system driver, hooks file opening and writes itself to the end of PE EXE files (Portable Executable Win32 files). The virus infects all PE files with .EXE extension except CMD.EXE. To separate infected and not infected files the virus sets file time and date double word stamp in the PE header to -1 (FFFFFFFFh). While infecting a file the virus increases the size of last file section, writes itself to there and modifies necessary fields in the file header. As a result when infected PE files are executed, the virus code receives control and runs the installation routine.
The virus installation routine copies the virus to the system, registers itself in there and returns control to the host program. As a result on first start the virus just installs its "dropper" to the system and does not infect the WinNT memory and other files. The memory and file infection routines will be activated later, when the "dropper" is run.
To install its "dropper" the virus extracts its "pure" code (4608 bytes) as a standalone PE EXE file with the INF.SYS name and writes it to the SystemRootsystem32drivers directory. Next the virus adds "run-it" commands to the system registry, to do that the virus creates new Registry key with three sections:
RegistryMachineSystemCurrentControlSetServicesinf
Type = 1 - means it is a standard NT driver
Start = 2 - the mode of driver start
ErrorControl = 1 - continue system loading on error in driver

As a result the virus dropper is loaded as system WinNT driver on next system restart.
When the INF.SYS virus dropper takes control the virus allocates a block of WinNT memory, reads its complete copy from the INF.SYS file for further use in infection routine and hooks a poorly documented WinNT internal system functions handler. The virus hooker intercepts file opening function only, checks the file name and extension, then opens the file, checks file format (PE) and runs the infection routine.

Check other viruses! Be aware! Use Antiviral Software

Mario Family

Description Mario Family

These are memory resident parasitic viruses. They hook INT 18h, 21h and write themselves to the end of EXE files that are executed or opened.
"Mario.661" also infects the files that are renamed. This virus has the bugs, and may corrupt the files while infecting them. It contains the text string:
Mario Genius

"Mario.746" displays:
Joannie Tomczykall
Mario Genius
(c) 02.95.

Maripuri.1942

Description Maripuri.1942

It is a very dangerous nonmemory resident parasitic virus. It searches for EXE files in subdirectory tree, and writes itself to the end of the file. If there are no EXE files, the virus erases CMOS, FAT of C: drive, and overwrites MBR of the hard drive with the program that displays the message:
Virus MARIPURI 1.0
By FredSoft C.O.
Made in Spain, IV-1.992

The virus also contains the string:
*.EXE *.COM *.*

Home