Changsha
Description Changsha
It's a memory resident dangerous multipartite virus. It writes itself at the and of .COM- and .EXE-files and into MBR of hard drive. The hard drive is infected as the infected file is executed. Then the virus hooks INT 08h, 13h, 21h and infects the executable files except CO*.* and IB*.* files. On May, 4th it erased the files instead of infection, then it decrypts and types the message:
XqR:
Wherever, I love you Forever and ever !
The beautiful memory for ours in that
summer time has been recorded in the Com-
puter history.
Bon voyage, My dear XqR !
Yours 05121991 in our Home.
It also contains the internal text strings:
Welcome!
Auto-Copy Deluxe R3.00
(C)Copyright 1991. Mr. YaQi. Changsha China
No one can Beyond me!
New Century of Computer Now!
Check other viruses! Be aware! Use Antiviral Software
Linux.Satyr.a
Description Linux.Satyr.a
This is a harmless non-memory resident parasitic Linux virus. The virus is a Linux executable module (ELF file). It searches for other ELF files in the system, and then infects them. The virus infects files in the following directories:
current directory
parent directory
~/ (user root directory)
~/bin (user /bin directory)
~/sbin (user /sbin directory)
/bin
/sbin
/usr/bin
/usr/local/bin
/usr/bin/X11
While infecting, the virus moves a victim's file contents down, and writes itself to the file header. To release control to the host file, the virus "disinfects" it to a temporary file and executes it.
The virus does not manifest itself in any way. Its body contains the "copyright" text string:
unix.satyr version 1.0 (c)oded jan-2001 by Shitdown [MIONS], http://shitdown.sf.cz
Linux.Vit.4096
Description Linux.Vit.4096
This is a nonmemory resident parasitic virus. The virus has the internal ELF format, replicates under Linux OS and infects Linux executable files. This is the second known Linux virus, the first being "Linux.Bliss".
Linux is a access-protected system; i.e., users and programs may access only files that they have permission to. The same is true for a virus - it may infect only the files and directories that are declared as "write-able" for the current username. If the current username has total access (system administrator), the virus will infect all the files on a computer.
When an infected file is executed, the virus takes control, searches for executable ELF files in the current directory and infects them into the middle. While infecting, the virus analyzes the internal file formats (ELF headers), locates the first code section, makes a "cave" by shifting this and the following sections down by 4096 bytes, writes its code to this "cave," modifies the file entry address and corrects necessary fields in the ELF headers.
Clean file: Infected file:
+---------------+ +---------------+
| ELF Headers |--+ | ELF Headers |--+
| | | | | |
|---------------| | |---------------|<-+ virus entry
| Section 1 |<-+ entry +-| Virus | address
| | address | | - - - - - - - |
|---------------| +>| Section 1 |
| Section 2 | | |
|---------------| |---------------|
. . . | Section 2 |
|---------------| |---------------|
| Section n | . . .
+---------------+ |---------------|
| Section n |
+---------------+
The virus looks for duplicate infection and prevents it, and, in addition, the virus infects files quite accurately: in tests, not all infected files were corrupted, and the virus was able to replicate itself from them.
While infecting, the virus uses the temporary VI324.TMP file. This file name was the reason behind the selecting of the virus name(VIxxx.Txx).
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
Properties For Sale In Natal
System Fresh
Sri Lankan Homes
Asthma Causes Symptoms Treatment
Car Loan
|