Virus Database

Caesar

Description Caesar

This is a harmless, non-memory resident encrypted parasitic DOS virus. It infects DOS EXE files and creates its "dropper" in the C:WINDOWS directory.
When an infected file is run, the virus creates the infected CAESAR.EXE file (virus dropper) in the C:WINDOWS directory and overwrites the WINSTART.BAT file with an instruction that will run the virus dropper. As a result, virus dropper is activated each time Windows is started up. The virus then returns control to the host program and does not infect any other files.
When the virus dropper takes control, it searches for *.EXE files on all drives and infects them. While infecting, it writes itself to the end of the file. The virus checks file names and avoids infecting the following files:
AN*, AD*, DR*, PR*, NC*, WI*
Because of its method of infection, the virus is functional only when Windows is installed exactly in the C:WINDOWS directory.

Check other viruses! Be aware! Use Antiviral Software

Dnepr.377

Description Dnepr.377

It is not a dangerous memory resident parasitic virus. It copies itself into Interrupt Vectors Table, hooks INT 1Ch, 21h and writes itself to the end of COM files that are executed. Depending in its internal counter the virus displays the message:
DNEPR-CHAMPION

Dodgy

Description Dodgy

This is a very dangerous memory resident stealth boot virus. It occupies two sectors, so the virus length is 1024 (400h) bytes. It infects the MBR of the hard drive and boot sector of floppy disks. While infecting the hard drive the virus saves the original MBR sector and the rest of its code to the sectors on the first track/zero head starting from sector 14. Usually that space is not occupied by any programs/data. While infecting floppy disks the virus saves original boot sector and its code to the last sectors of root directory.
While loading from infected disk the virus decreases the size of system memory by using the word at address 0:0413h, copies itself to there, hooks INT 8, 13h, 40h and calls bootstrap loader (reboots the system). Being already installed, the virus runs its stealth engine. As a result bootstrap loader will read original boot/MBR sector instead of infected one, and virus code will not receive control and the virus will not install itself twice to the system memory. While installing the virus also accessed the MBR of the hard drive - the virus INT 13h handler intercepts that call and infects the MBR, if it is not infected yet.
While infecting the MBR the virus uses several tricks to avoid detection by BIOS anti-virus protection - the virus modifies necessary fields in the CMOS and stuffs the 'Y' key to keyboard buffer before writing to the MBR.
The virus uses INT 13h, 40h hooks to run its infection and stealth routines while reading/writing to/from floppy disks and the hard drive. By hooking INT 8 (timer) the virus intercepts DOS loading process - the virus looks for low memory area and scans it for "PEC=" text, that is the rest of "COMSPEC=" string placed in DOS programs environment blocks. If this string is found, the virus hooks DOS interrupts INT 21h, 2Fh, increases (i.e. restores) the size of system memory (the word at the address 0:0413h) and disables its INT 8 handler.
By hooking INT 21h the virus intercepts programs execution, checks their names. If a program with name RAV* is executed, the virus calls its trigger routine (see below). The virus does not calls this trigger routine under Windows, in this case the virus runs it when Windows is exiting (the virus intercepts it by INT 2Fh hook).
By hooking INT 2Fh the virus intercepts Windows installation, gets Windows' directory and deletes the SYSTEMIOSUBSYSHSFLOP.PDR in there. When Windows exits, the virus jumps to its trigger routine, if there was RAV* file executed during Windows seance.
In three months after infecting a disk the virus manifests itself by a trigger routine: it turns computer to graphic video mode, displays a message, disables the keyboard and erases sectors on the hard drive. The message is:
RAVage is wiping data! RP&muRphy

Home