Virus Database

Cascade.1491

Description Cascade.1491

This is a memory resident virus. Its body except for the beginning (first 32 bytes) is encoded. As a key the length of the infected file is used. That is why two strains of the same virus in most cases will coincide only in the first 32 bytes.
As an infected program is executed, the control of the JMP command is transferred to the beginning of the virus. By first commands the virus determines the length of the source file and deciphers its body.
On creating its memory-resident copy the virus:
copies its body into the highest addresses of the memory;
moves the body of the main program into the highest addresses of the memory;
moves the virus body into cleared area above the main program body;
sets INT 1Ch, 21h, 28h to its own copy.
ƒ all ƒ ƒ ... ƒ ƒ ... ƒ ƒ ... ƒ
+---------ƒ +---------ƒ +---------ƒ +---------ƒ
ƒProgram ƒ ƒProgram ƒ--+ ƒFree ƒ +-->ƒVirus ƒ
ƒ ƒ ƒ ƒ ƒ ƒmemory ƒ ƒ ƒ ƒ
ƒ ƒ ƒ ƒ ƒ +---------ƒ ƒ +---------ƒ
+---------ƒ +---------ƒ +-->ƒProgram ƒ ƒ ƒProgram ƒ
ƒVirus ƒ--+ ƒVirus ƒ ƒ ƒ ƒ ƒ ƒ
ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ
+---------ƒ ƒ +---------ƒ +---------ƒ ƒ +---------ƒ
ƒ ... ƒ +-->ƒVirus ƒ ƒVirus ƒ--+ ƒ ... ƒ
ƒ(copy) ƒ ƒ ƒ
+---------ƒ +---------ƒ
ƒ ... ƒ ƒ ... ƒ

The virus affects only COM files as it's loaded into the memory for execution. Infection is carried out by standard method. Most widely spread versions of this virus does not reinfect files.
The virus changes interrupt vectors 1Ch, 21h and 28h. It also produces a specific video-effect: crumbling down of letters on the screen; does not have destructive functions.
Sometimes it displays the message:
IL SISTEMA è FOTTUTO!!
S.E.K. VIRUS Made in ITALY RM
5iD G.Ferraris 90/91 (c)
Then it erases the disk sectors. It also deletes CHKLIST.CPS file.

Check other viruses! Be aware! Use Antiviral Software

Amuck.3184.a

Description Amuck.3184.a

It is a very dangerous memory resident partly encrypted parasitic virus. It hooks INT 21h and then writes itself to the end of COM and EXE files that are accessed by FindFirst/Next DOS functions. Before return to the host program the virus infects the C:COMMAND.COM file.
The virus erases the files SMARTCHK.CPS, CHKLIST.CPS and CHKLIST.MS. Depending on the system date the virus erases the hard drive sectors or hooks INT 10h and cancels switching to some video modes. Depending on its counters the virus displays the message:
Please do not restart the computer,
because I do not want to kill myself.
You do understand this, don't you?
Make sure your fingers are away from the computer.
Mistakes are terrible.
Searching:

then searches for BAT, PAS, PRG, CPP, DOC, GIF, PAK, DAT, BAK, DBF, C, SYS, WPS and INI files on disks from C: till Z: and overwrites them with the message:
Don't look at me! I am killed and eaten.

Then the virus displays the message and reboots the computer:
Thank you for having waited so long.
Thank you for the decilious food.
Now, I am going to have a long sleep.
GOOD-BYE! My friend

In some cases the virus erases the hard drive sectors and displays the message:
Ha! Ha!
Be proud of your clever action!
I am amuck when I am in hunger!
It is you who have killed me and killed yourself!
YOUR LUCK IS OVER!

Amz family

Description Amz family

These are dangerous non-memory resident viruses. They search for COM and EXE files, and write themselves at their ends. The viruses alter the first 13h bytes of a COM file with the commands to jump to the virus body. These viruses contain the word "AMZ". They erase the FAT sectors of the logical drives from A: to Z: (if they are present):
"Amz.600" - operates if the day of the week corresponds to the day of the month
"Amz.789" - on September 24th from 0:00 till 7:00 am
"Amz.801" - on February 13th at 13:00
"Amz.1100" - on March 1st and September 13th at 10:00

"Amz.682" is benign, and it displays: "-Zero-". "Amz.1100" erases CMOS and creates the BOPS-BOP.S file.

Home