Wit.2663
Description Wit.2663
It is a very dangerous nonmemory resident parasitic polymorphic virus. It searches for COM files, then moves file top to the end of the file and writes itself to the beginning of the file. While infecting the virus also encrypts part of host file that is moved to its end.
The virus also searches for INT 21h calls within file body and patches them with INT E9h calls. As a result when patched programs are executed, they call for INT E9h instead of INT 21h. To fix this problem the virus leaves a small memory resident program that hooks INT E9h and redirects these calls to INT 21h. So infected files do work under infected environment only and halt the system when it is disinfected. Second side effect of virus' way of infection is impossibility to disinfect infected files correctly in all cases, so infected files should be replaced from backup.
Depending on the system timer the virus overwrites all .COM files in the current directory with trivial overwriting infector. The virus also searched for anti-virus database files and deletes them:
*.* CHKLIST.* ANTI-VIR.DAT MSAV.CHK
*.AVB *.LOG TBSCAN.SIG SMARTCHK.CPS *.MS
The virus looks for /LOVE argument in command line and displays a message in Russian "I love you Katya", if this argument is found. On September 14th the virus displays a message in Russian and deletes all files in the current directory.
The virus contains the text strings:
DESTROER
[ INQUISITOR II ] Copyright (c) by Wit 1997.
Check other viruses! Be aware! Use Antiviral Software
Collor.878
Description Collor.878
It's a dangerous not memory resident encrypted parasitic virus. It searches for .COM-files and writes itself to their ends. Depending on the system timer it formats HD sectors and displays the message:
Virus Collor De Mello
Communist.1310
Description Communist.1310
It is a dangerous memory resident parasitic virus. It hooks INT 21h, 2Fh and writes itself to the end of EXE files that are terminated. Before executing infected files the virus disinfects them, and reinfects on termination.
On 13th of any month from 1pm till 2pm the virus erases programs' code and displays the message:
COMMUNISM
Written by Jack Rose. 22 Jan 1998
The INT 2F handler may displays the message:
TEQUILA
The virus also contains the text string:
BEER
|