Cascade.1491
Description Cascade.1491
This is a memory resident virus. Its body except for the beginning (first 32 bytes) is encoded. As a key the length of the infected file is used. That is why two strains of the same virus in most cases will coincide only in the first 32 bytes.
As an infected program is executed, the control of the JMP command is transferred to the beginning of the virus. By first commands the virus determines the length of the source file and deciphers its body.
On creating its memory-resident copy the virus:
copies its body into the highest addresses of the memory;
moves the body of the main program into the highest addresses of the memory;
moves the virus body into cleared area above the main program body;
sets INT 1Ch, 21h, 28h to its own copy.
ƒ all ƒ ƒ ... ƒ ƒ ... ƒ ƒ ... ƒ
+---------ƒ +---------ƒ +---------ƒ +---------ƒ
ƒProgram ƒ ƒProgram ƒ--+ ƒFree ƒ +-->ƒVirus ƒ
ƒ ƒ ƒ ƒ ƒ ƒmemory ƒ ƒ ƒ ƒ
ƒ ƒ ƒ ƒ ƒ +---------ƒ ƒ +---------ƒ
+---------ƒ +---------ƒ +-->ƒProgram ƒ ƒ ƒProgram ƒ
ƒVirus ƒ--+ ƒVirus ƒ ƒ ƒ ƒ ƒ ƒ
ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ ƒ
+---------ƒ ƒ +---------ƒ +---------ƒ ƒ +---------ƒ
ƒ ... ƒ +-->ƒVirus ƒ ƒVirus ƒ--+ ƒ ... ƒ
ƒ(copy) ƒ ƒ ƒ
+---------ƒ +---------ƒ
ƒ ... ƒ ƒ ... ƒ
The virus affects only COM files as it's loaded into the memory for execution. Infection is carried out by standard method. Most widely spread versions of this virus does not reinfect files.
The virus changes interrupt vectors 1Ch, 21h and 28h. It also produces a specific video-effect: crumbling down of letters on the screen; does not have destructive functions.
Sometimes it displays the message:
IL SISTEMA è FOTTUTO!!
S.E.K. VIRUS Made in ITALY RM
5iD G.Ferraris 90/91 (c)
Then it erases the disk sectors. It also deletes CHKLIST.CPS file.
Check other viruses! Be aware! Use Antiviral Software
NewAids.1041
Description NewAids.1041
It is a very dangerous nonmemory resident parasitic encrypted virus. It searches for COM files and writes itself to the end of the file. It displays the message:
I am the NEW AIDS Virus and your PC is InFeCtEd
I'm sorryall
and overwrites the boot sectors of the floppy disks with a program that displays:
This is the right way to let viruses spread up !
Next time be CAREFULL!!
The virus also contains the text strings:
*.COM PATH=
-Killed
Newgen.1054
Description Newgen.1054
It is not a dangerous nonmemory resident encrypted virus. It searches for .COM files and writes itself to the end of the file. Sometimes it displays:
New Generation Virus 1.0ß by NET CRASHER,
a PROUD member in HYPER. This message appears in a generation
that is devided by 20. Please don't remove this virus, it
Was created for research purpose only.
Get a Life !
|