Zombie.PM.4592
Description Zombie.PM.4592
This is a non memory-resident polymorphic parasitic virus. It searches for COM files, then writes itself to the end of the file. Before writing its code to the file the virus converts it to text data: each byte is converted to the pair of text bytes. Each bytes can get value from '6' till 'L'. Then these text bytes are separated to lines of text with LineFeed characters at the end of the line.
When an infected file is executed and the virus takes control, the reverse conversion routine is called. This routine converts text data back to executable binary code. It also contains only text bytes, and moreover - it is polymorphic. Its code looks like follows:
as assembler code: as text bytes: result test line:
PUSH 2F5D h]/ h]/X-?"5!#P^hdPX-!tP_18
POP AX X
SUB AX,223F -?"
XOR AX,2321 5!#
PUSH AX P
POP SI ^
PUSH 5064 hdP
POP AX X
SUB AX,7421 -!t
PUSH AX P
POP DI _
XOR [BX+DI],DI 18
SUB AX,0A0D
all ...
To the header and footer of the block of text data the virus writes standard PGP stamps of encrypted message:
-----BEGIN PGP MESSAGE-----
Version: 2.6.3i
-----END PGP MESSAGE-----
As a result the virus code looks like a real PGP message with standard footer, header and some random text data inside:
+-----------------+
|JMP Virus |-----+
|- - - - - - - - -| |
|Original file | |
|data and code | |
| | |
|-----------------| |
|PGP header text | |
|- - - - - - - - -| |
|Virus code |<----+
|converted to text|
|- - - - - - - - -|
|PGP footer text |
+-----------------+
The virus contains the text strings, the major part of it is the text of Scorpion's song "Wind Of Change", the rest of text looks as follows:
z0mbie$$.$$$Z0MBiE.PGPMorph Version 1.00 (c) 1997, 1998 Z0MBiE International
Now we can infect Dr.WEB addons...
homepage: http://www.chat.ru/~z0mbie
e-mail: z0mbie@chat.ru
Scorpions is BEST!
@SONG: WIND OF CHANGE
The virus also accesses in some way TPU (Turbo Pascal library files) and DrWeb anti-virus databases. In case of TPU files the virus adds its code to the library. In my experiments the virus failed to modify both types of files.
Check other viruses! Be aware! Use Antiviral Software
Astron.1056
Description Astron.1056
It is a very dangerous nonmemory resident parasitic virus. It searches for .COM files, then writes itself to the end of the file. The virus contains the text string:
Astron.Solar by 1996-96 Inc.
The virus is not memory resident, but leaves a TSR program that hooks INT 1Ch, 21h and in some time decrypts and displays a message in Russian.
On 27th of any month the virus writes to the boot sector of C: drive the JMP-to-Reboot instruction (JMP FFFF:0000) and the same text in Russian.
AT-Corp.321
Description AT-Corp.321
This is a harmless memory resident multipartite virus. It hooks INT 13h and writes itself into free space (cave) in EXE-header when such headers are accessed with INT 13h (the corresponding sectors are read/written via INT 13h). The length of the file does not grow while infecting.
It also infects MBR of the hard drive and installs itself memory resident only while booting from infected MBR.
The virus contains the text string:
(c)AT Corp. 1995
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
I Need Auto Insurance
Quick Cash Advance
Mortgage Loan
Nfo Search
Pension / Hotel
|