Virus Database

Zombie.VPI.15211

Description Zombie.VPI.15211

This is a memory resident parasitic virus. It writes itself to the end of EXE files that are executed, opened or on reading/modifying file attributes. It has two unusual algorithms: coding itself while infecting files and infecting Shadow RAM.
When an infected file is executed, the virus checks the Shadow RAM ports (it presents only on Pentium PC). If these ports are accessible, the virus looks for zero-bytes "cave" in the Shadow memory, opens it for writing, copies itself to there and closes Shadow for writing. If there is no enough free space, the virus either overwrites standard video font, or looks for some code (some driver?) and overwrites it, if font or such code are placed in Shadow memory. The virus then hooks INT 13h, waits for any EXE file execution and hooks INT 21h.
After installing into the Shadow memory it is closed for writing. When the virus' INT 13h, 21h handlers take control, and the virus needs to modify its data, it temporary opens Shadow for writing.
While infecting files the virus encodes itself in quite curious way - it does not encrypts itself as usual self-encrypted viruses do, but transforms itself to the byte sequence of 00h or FFh. For each byte of virus code its eight bits are converted to eight bytes - 00h in case of zero bit, FFh in case of 1. As a result, the actual virus code is less than 2K, but while infecting the virus increases file length more than by 15K.
While reading disk sectors (INT 13h) the virus checks them for directory structure, search for references for several files and erases these references. These files are: ADINF, AIDS, AVP, WEB, DRWEB, *.CPP, *.C, S-ICE, TD, DEBUG, WEB70801, CA.AV?
The virus also contains the text:
Z0MBiE`1635 v1.00 (c) 1997 Z0MBiE
Tnx to S.S.R. & Lerg
ShadowRAM/Virtual Process Infector

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Twister

Description Macro.Word.Twister

This virus does not manifest itself in any way. It contains eight macros:
NORMAL.DOT Infected documents
FileSaveAs twFSA
AutoExec twAE
twAC AutoClose
FileSave twFS
AutoExit twEX
twFC FileClose
twFE FileExit
twFQ FileQuit

The virus infects the global macros area on FileClose, FileExit and AutoClose. The documents get infection on AutoExit, FileSave and FileSaveAs.
The virus contains commented strings:
"Twister 2000" v.1 (c) Neo-Luddite Inc.
For Robin Hood

Macro.Word.TWNO

Description Macro.Word.TWNO

These viruses contain only one macro in infected documents - AutoOpen, but while infecting the system they copy it to three macros - AutoOpen, AutoNew and AutoClose. As a result, the virus infects the system on opening an infected document, and infects the documents that are opened, created or closed.
On 13th of any month "TWNO.a" displays and inserts into current document the messages in Chinese and:
NO.1 Macro Virus

On 25th of any month "TWNO.b" deletes the files C:DOS*.*, C:WINDOWS*.INI, renames menus, displays the messages in Chinese and:
MERRY CHRISTMAS

On 15th of any month this virus deletes the files: C:COMMAND.COM, C:AUTOEXEC.BAT, C:CONFIG.SYS, C:MSDOS.SYS, C:IO.SYS
"TWNO.c" on created a new documet insert the text string:
A monkey has controlled your Word!!!

Home