Virus Database

Xuxa Family

Description Xuxa Family

These are memory resident not dangerous viruses. They hook INT 21h and infect files.
Xuxa.1045,1037,1088,1096
These are encrypted viruses. They write themselves to the end of COM files (except COMMAND.COM) that are executed. While installing memory resident they infect the C:DOSFORMAT.COM file. Depending on the system time they halt the system. They delete the CHKLIST.MS and ANTI-VIR.DAT files. "Xuxa.1037" contains the strings:
Si no viste el Show de Xuxa por T.V, ni en vivoall
ahora podes verlo en tu PC!. - XOU DA XUXA 1.0
By Leviathan.

The viruses display the messages:
"Xuxa.1088,1096":
Si no viste el Show de Xuxa por T.V, ni en vivo...
ahora podes verlo en tu PC!. - XOU DA XUXA 1.2
By Leviathan.

"Xuxa.1045":
Si no viste el Show de Xuxa por T.V, ni en vivo...
ahora podes verlo en tu PC!. -
XOU DA XUXA 1.3
By Leviathan.

Xuxa.1405,1413
They hook INT 1Ch, 21h and write themselves to the beginning of the COM files that are executed. These viruses play a tune.
Xuxa.1656
That virus writes itself to the end of COM and EXE files that are executed. Depending on the system date and time it displays the message:
Xuxa Park 1.0 _ By Hades
"Y luchemos para que todos los niños delmundo tengan derecho a soñar, a
soñar por igual"

Xuxa.1984,2058
These are encrypted stealth viruses. They write themselves to the end of COM and EXE files that are executed of closed. The viruses check the file names and do not infect several anti-virus and data compression utilities. The viruses delete the files: CHKLIST.MS and ANTI-VIR.DAT. The viruses have bugs and in some cases halt the computer.
Starting from 1997, on 27 of any month the viruses display:
"Xuxa.1984": _ XUXA PARK 2.0 _ By Hades _ Todo el mundo esta feliz ?
"Xuxa.2058": XUXA PARK 2.1 _ BY HADES "Y LUCHEMOS PARA QUE TODOS LOS
NIÑOS DEL MUNDO TENGAN DERECHO A SOÑAR, A SOÑAR POR IGUAL"

Check other viruses! Be aware! Use Antiviral Software

CMOS.a

Description CMOS.a

It is a dangerous memory resident stealth boot virus. It corrupts the CMOS memory. On loading from infected disk the virus copies itself to the address 9F80:0000, hooks INT 13h and writes itself to the MBR of the hard drive and the boot sectors of the floppy disks. The original MBR is saved to the second sector on the hard drive, the boot sector of floppy disk to the last sector of root directory on the disk.

CmosDead family

Description CmosDead family

These are very dangerous memory resident parasitic polymorphic and stealth viruses. They trace and hook INT 21h, stay memory resident and then write themselves to the end of COM and EXE files that are accessed. The viruses do not infect the anti-virus programs and several utilities:
AVG SYS SCAN CLEAN WIN TBAV PROT GUARD VS 286 386 DSK

When CHKDSK is run, the viruses disable their stealth routines. In some cases when listed above programs are executed, the viruses display the message and disable executing:
I don't like this program !

The viruses use anti-debug tricks. Under debugger they display the message and halt the computer:
BE CAREFUL !

Depending on their internal counters the viruses hook INT 9 (keyboard), corrupt the CMOS, display the message:
GRISOFT(c) SOFTWARE 1989,96

and manifest themselves with a video effect. If Ctrl-Alt-Del keys are pressed during effect, the viruses call disk formatting BIOS routine.
In some cases the viruses call the same effect routine, then they overwrite the MBR of the hard drive with a program that displays on booting:
CMOS-DEAD: DATA DESTROYED !

The viruses also contain the text string:
Hello Mr. Odehnal !

as well as:
"Odehnal.4792": EXECOM12/19/91
"Odehnal.5154": EXECOM06/12/95

Home