Virus Database

Carbuncle.622

Description Carbuncle.622

Carbuncle is a dangerous memory resident companion virus. It is the COM file 622 bytes of length. On execution it checks the system time, depending on current seconds value it either jumps to infection routine or calls the trigger function. In infection routine the virus creates the file CARBUNCL.COM with the READONLY and HIDDEN attributes and writes itself (622 bytes) into that file. If this file is present, the virus overwrites it if this file is not a READONLY one. If this file is READONLY, the virus tries to create and overwrite it but fails because it doesn't check/clear the file attributes.
Then the virus searches for EXE files by using DOS functions FindFirst/FindNext and the mask "*.exe" and infects them. On infection this virus renames the EXE file to CRP and creates the batch companion file with the name of the infected program and BAT extension. As the result, after infection of one EXE file there are two files with the same name and CRP and BAT extensions. Of course, CARBUNCL.COM is in the same directory also.
The companion batch file contains six lines of DOS commands. If the file FILENAME.EXE was infected, the companion FILENAME.BAT contains these lines:
@ECHO OFF
CARBUNCL
RENAME FILENAME.CRP FILENAME.EXE
FILENAME.EXE
RENAME FILENAME.EXE FILENAME.CRP
CARBUNCL

If the user tries to execute some EXE program, it types the name of it and DOS searches for the corresponded file as it showed above. This EXE is absent because it was renamed to CRP, and DOS will execute BAT file, i.e. companion BAT virus.
On the first line of this BAT the virus disables DOS echoes, this is for more invisibility. The instruction of the second line calls the main virus body from CARBUNCL.COM file, the virus searches for not infected files and hits them. The lines from third till fifth force DOS to execute the infected EXE that is hidden by CRP extension. This file is renamed to EXE extension, then it is executed as EXE and then it is renamed back to CRP. And as the last action the BAT file executes the COM virus again.
If the current seconds value of system times is lesser or equals than 16, the virus calls trigger subroutine. This code searches for five first CRP files and overwrites them by the virus body. As the result these files are not recoverable and should be deleted. In another case they will spread the virus on execution.
The virus contains the internal text strings which are in use on searching for not infected files and on creating BAT companion:
*.crp
CARBUNCL.COM
BAT*.exe
CRP
@ECHO OFF
CARBUNCL
RENAME

It also contains the 'copyright' string:
PC CARBUNCLE: Crypt Newsletter 14

Check other viruses! Be aware! Use Antiviral Software

DirVirus.760

Description DirVirus.760

This is a memory-resident dangerous parasitic virus. It hooks INT 21h and infects COM files upon calling the functions FindFirst and FindNext FCB (these functions are used by the DIR command, that gave the name to the virus). The virus appends itself to the end of files, altering 6 bytes at their beginning (PUSH Loc_Virus; RET). This infector removes and does not restore the "read-only" attribute, set the file creation time to 60 sec. Sometimes it erases the FAT.
"DirVirus.760" contains the internal text strings:
COMMAND.COM
SBK (C) 1989 Varna. All rights reserved.
MANOWAR

Dis.1024

Description Dis.1024

It's a dangerous memory resident parasitic encrypted virus. It hooks INT 21h and writes itself to the end of EXE-files that are executed. Depending on the system timer it erases disk sectors and displays the message:
***The Heaven Version 3.0 (C)Copyright 1993 DiS co.***
***If you can read this , you don't need glasses!***

Home