Brontozavr.1280
Description Brontozavr.1280
It is a dangerous memory resident parasitic virus. It hooks INT 10h, 21h and writes itself to the end of files that are executed. The virus contains lot of bugs, and it is necessary to arrange a special environment to force the virus to infect a file. The virus infects the files as COM (it writes itself to the end of the file, and overwrites first three bytes of the file with CALL Virus instruction), but it infects only the files that have not "COM" file name extension. There also are mistypings in virus assembler code, and as a result the virus rather corrupts the files that infects them.
The virus contains the text strings:
AIDSTEST.EXE
Virus BRONTOZAVR ,04.04.94 ,by CRAZY
COMMAND.COM
Check other viruses! Be aware! Use Antiviral Software
Phoenix Family
Description Phoenix Family
These are very dangerous resident polymorphic parasitic viruses. They write themselves to the middle of COM files that are executed or closed. They write to the end of EXE files the trojan program that in some cases erases all information on installed hard disks.
"Phoenix.Proud,Live" infect COM files only, "Phoenix.Live.a" does not infect COMMAND.COM.
While infecting a COM file the virus reads the data from the middle of the file, saves it to the end of the file, and then overwrites the data in the file middle with its copy and writes Jmp-Virus command to the beginning of the file. While infecting COMMAND.COM the virus writes itself to the the stack area of COMMAND.COM, and the file length does not grow.
Infection of COM file Infection of COMMAND.COM file
+-----------+ +-----------+ +-----------+ +-----------+
¦ File ¦ ¦ File ¦ ¦COMMAND.COM¦ ¦COMMAND.COM¦
¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦
¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦
+ - - - - - ¦ +-----------¦ + - - - - - ¦ +-----------¦
¦ ¦--+ ¦ Virus ¦ ¦ ¦ ¦ Virus ¦
+ - - - - - ¦ ¦ +-----------¦ + - - - - - ¦ +-----------¦
+-----------+ ¦ ¦- - - - - -¦ +-----------+ +-----------+
+-->¦ ¦
+-----------+
The viruses also hook INT 13h and then, depending on some preconditions, randomly rearrange bytes in information blocks being read from, and written to disks.
The viruses of the family for the first time uses two new methods. First, the viruses intercept DOS calls to the files by using INT 2Ah instead of INT 21h. Second, the viruses (except "Phoenix.Live.a") are polymorphic and do not have any constant mask (signature): the main part of the virus is encrypted, and a decoding program (32 bytes long) is selected from 204 possible variants (one have to bear in mind that these viruses have the following lengths: "Phoenix" - 1704 bytes, "Phoenix.Evil" - 1701 bytes, "Phoenix.Proud" - 1102 bytes).
The viruses contain the text strings:
"Phoenix": PHOENIX
"Phoenix.Evil": The evil that men do lives on and on and onall
"Phoenix.Proud": Proudly made in Sofia
"Phoenix.Live.a,b": Live after Death
Phone.688
Description Phone.688
It is a dangerous nonmemory resident virus, it searches for .COM and .EXE files and overwrites them. It deals the phone numbers: it outputs to COM port the modem command "ATDT1900" and then dials the numbers: 9034600, 4545388, 2888100, 6809100, 9038181, 4540759, 8840758, 8965581, 6804900, 4075240, 9038700, 7868482. Then this virus displays "Out of Memory" and returns to DOS.
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
Land For Sale Bangalore
property silver coast
United Kingdom Dating
Computer Service
Belize Homes
|