Virus Database

Changsha

Description Changsha

It's a memory resident dangerous multipartite virus. It writes itself at the and of .COM- and .EXE-files and into MBR of hard drive. The hard drive is infected as the infected file is executed. Then the virus hooks INT 08h, 13h, 21h and infects the executable files except CO*.* and IB*.* files. On May, 4th it erased the files instead of infection, then it decrypts and types the message:
XqR:
Wherever, I love you Forever and ever !
The beautiful memory for ours in that
summer time has been recorded in the Com-
puter history.
Bon voyage, My dear XqR !
Yours 05121991 in our Home.

It also contains the internal text strings:
Welcome!
Auto-Copy Deluxe R3.00
(C)Copyright 1991. Mr. YaQi. Changsha China
No one can Beyond me!
New Century of Computer Now!

Check other viruses! Be aware! Use Antiviral Software

Drepo.2461

Description Drepo.2461

These are not dangerous memory resident encrypted parasitic viruses. While executing an infected EXE file the virus reads the root directory of C: drive by using INT 25h direct read call, searches there for the "COMMAND COM" string in the read buffer, replaces that string with "COMMAND LOM", clears the file attribute field, and saves the result to the disk by using direct write INT 26h call. Then the virus opens the C:COMMAND.LOM file (ex-COMMAND.COM), encrypts and writes itself to the end of the file to the COMMAND.COM stack area (the file length does not grow, see "Lehigh"), and then overwrites the file entry point (the code that is pointed by JMP instruction at the file beginning) with 2Eh bytes of a decryption routine. Then the virus restores the original contents of the root directory (also by using INT 26h call) and returns the control to the host EXE file. I see that such complex way to infect the file is to avoid memory resident anti-virus monitors.
While executing the infected COMMAND.COM the virus hooks INT 21h, stays memory resident and writes itself to the end of EXE files that are opened or closed. When the archivator ARJ.EXE or RAR.EXE is executed, the virus reserves an extra block of the memory to infect the files that are compressed or extracted from an archive.
The virus also hooks INT 9 (keyboard) and two month after infecting a system, depending on the keys that are pressed, it beeps by the PC speaker.
The virus contains the text strings:
ARJ.EXE RAR.EXE
C:COMMAND COM
Pod na jedno DREPO!
Shareware version.
Do not forget to register!

Drizzle.1600

Description Drizzle.1600

It is a dangerous memory resident parasitic virus. It hooks INT 16h, 21h and writes itself to the end of .COM files (except COMMAND.COM) that are executed. The virus runs a counter in the MBR of the hard drive and increases this counter on each installation into the memory and on each infection. When counter reaches 400h (1024) the virus corrupts the MBR code, and it will halt the system on next booting. When this counter reaches 256, the virus starts to change keys that are entered (INT 16h) and delays on any keystroke. The virus contains the only text string:
COMMAND.COM

Home