Virus Database

Zombie.PM.4592

Description Zombie.PM.4592

This is a non memory-resident polymorphic parasitic virus. It searches for COM files, then writes itself to the end of the file. Before writing its code to the file the virus converts it to text data: each byte is converted to the pair of text bytes. Each bytes can get value from '6' till 'L'. Then these text bytes are separated to lines of text with LineFeed characters at the end of the line.
When an infected file is executed and the virus takes control, the reverse conversion routine is called. This routine converts text data back to executable binary code. It also contains only text bytes, and moreover - it is polymorphic. Its code looks like follows:
as assembler code: as text bytes: result test line:
PUSH 2F5D h]/ h]/X-?"5!#P^hdPX-!tP_18
POP AX X
SUB AX,223F -?"
XOR AX,2321 5!#
PUSH AX P
POP SI ^
PUSH 5064 hdP
POP AX X
SUB AX,7421 -!t
PUSH AX P
POP DI _
XOR [BX+DI],DI 18
SUB AX,0A0D
all ...

To the header and footer of the block of text data the virus writes standard PGP stamps of encrypted message:
-----BEGIN PGP MESSAGE-----
Version: 2.6.3i
-----END PGP MESSAGE-----

As a result the virus code looks like a real PGP message with standard footer, header and some random text data inside:
+-----------------+
|JMP Virus |-----+
|- - - - - - - - -| |
|Original file | |
|data and code | |
| | |
|-----------------| |
|PGP header text | |
|- - - - - - - - -| |
|Virus code |<----+
|converted to text|
|- - - - - - - - -|
|PGP footer text |
+-----------------+

The virus contains the text strings, the major part of it is the text of Scorpion's song "Wind Of Change", the rest of text looks as follows:
z0mbie$$.$$$Z0MBiE.PGPMorph Version 1.00 (c) 1997, 1998 Z0MBiE International
Now we can infect Dr.WEB addons...
homepage: http://www.chat.ru/~z0mbie
e-mail: z0mbie@chat.ru
Scorpions is BEST!
@SONG: WIND OF CHANGE

The virus also accesses in some way TPU (Turbo Pascal library files) and DrWeb anti-virus databases. In case of TPU files the virus adds its code to the library. In my experiments the virus failed to modify both types of files.

Check other viruses! Be aware! Use Antiviral Software

NoFrills Family

Description NoFrills Family

There are not dangerous memory resident parasitic viruses. They hooks INT 21h and write themselves to the end of COM and EXE files that are accessed. Some of these viruses infect COM files in incorrect way, these files halt the system being executed. The viruses contain the text strings:
"NoFrills.813": +-No Frills by Harry McBungus-+
"NoFrills.815": +-No Frills 1.01 by Harry McBungus-+
"NoFrills.840": +-NF3.0-H.McB-[PuKE]-+
"NoFrills.843": +-No Frills 2.0 by Harry McBungus-+

NoFrills.Bungus
This virus hooks INT 8, 21h. It contains the texts:
*X-Fungus by Harry McBungus*
*Nugga!*
*Greets SCP*
*Greets RABID*
* Patricia: Grow some programming knowledge *
*Grease me!*
*K-Mart in full effect*
*Epileptic Downer*

This virus decrypts and displays:
John Bonham - September 20, 1980
- L E D Z E P P E L I N -

NoFrills.Dudley
It is a harmless polymorphic virus. It contains the text string:
[Oi Dudley!][PuKE]

NoFrills.Kcat.1358
It is a very dangerous memory resident parasitic virus. It hooks INT 9, 21h and writes itself to the end of COM and EXE files that are executed, opened, or while accessing to the file attributes. The virus corrupts EXE files while infecting them.
The virus creates the C:WIN386.DAT and writes into there the keystrokes that are entered. The virus contains the text strings:
Kcat 3.01
5% - By Sir Twist & Thunderbird, with Many Thankz to Harry McBungus
whose coded we politely nicked.

NoFrills.K-Lame.950
On Sundays this virus creates the C:HARRY.MCB file, and while infecting any file the virus writes (appends) to that file the string:
+-K-Lame Kreation by Harry McBungus-+

NoHook.48

Description NoHook.48

These are very dangerous memory resident overwriting viruses. They copy themselves to the Interrupt Vectors Table, hook INT 85h and patch DOS kernel with INT 85h call. Then they overwrite files that are executed. Major versions of these viruses contain the text:
it's not necessary 2 hook int 21h!

Home