Virus Database

Chips.877

Description Chips.877

Chips.877 is a very dangerous not memory resident parasitic virus. It searches for .COM-files and writes itself to their beginnings. It saves (file_length-1) bytes of file upon infection, it will hang up the computer. Sometimes this infector erases the disk sectors by string "chipshit!!?" and types:
Hej! Tu wirus Chipshit! Co sie stalo z Twoim dyskiem ?

Check other viruses! Be aware! Use Antiviral Software

Fatty.3008

Description Fatty.3008

It is a very dangerous memory resident multipartite virus. It affects .COM and .EXE files as well as the MBR of the hard drive and boot sectors of the C: drive and floppy disks. While infecting .EXE files the virus may corrupt them.
When an infected file is executed, the virus infects the MBR and the boot sector of C: drive, hooks INT 8, 9, 13h, 17h, 21h and stays memory resident. While loading from infected disk the virus hooks the same vectors except INT 9, 21h, waits for DOS loading process and hooks INT 9, 21h.
By hooking INT 21h the virus infects .COM and .EXE files that are created and then closed, as a result the virus avoids CRC checkers. INT 13h hook is used for stealth and floppy disk infection. INT 8 hook is used to hook INT 9, 21h while installing from infected disk and for trigger routines. INT 17h is used for "Are you here?" call while installing memory resident.
Trigger routines: by hooking INT 9 the virus depending on its random counter either "skips" one key, or stuffs random key into keyboard buffer. Depending on its counter (INT 8) the virus also stuffs some sequence of keys to the keyboard buffer. Depending on the system date the virus modifies some data on disk (erases data?).
The virus contains the text strings:
XFATTY by SULPH (c)97
*Manufactured in Vsetin (CZ)
*THANX to Grisoft & Borland
*BIG KISS to my GIRL
*Have FUN, see YA!!X
.COM.EXE

Fault.9209

Description Fault.9209

It is a dangerous memory resident parasitic virus. While executing an infected file the virus checks the processor number and mode, and returns to the host program if the processor is not i386 or better, or the system is not in the real mode. If the processor is in real mode, the virus copies itself to the XMS memory and to the block of conventional memory, switches the processor to protect mode, and stays memory resident. Staring from that moment the DOS is working in V86 mode.
The memory resident virus consists of two copies. The first TSR copy is placed in conventional memory, and installation procedure of that code looks as installation procedure of "Jerusalem" viruses. This copy does not hook any interrupt vectors, but is hot hidden in the system memory in any way - the corresponding block is visible by using any memory browser. The virus uses that copy to infect the files, and calls it from the second TSR copy.
The second virus TSR copy is placed in XMS memory. As a supervisor it hooks all interrupts calls, and on INT 21h calls FindFirst/Next FCB (AH=11h, 12h) calls the first virus TSR copy (DOS copy) to infect the EXE files that are accessed.
The virus has the bugs and halts the system in lot of cases. If a program is performing a function that is not i8086 specific, the virus displays one of the messages and halts the system:
General Protection Fault. Halting system!
Unimplemented Fault. Halting system!

Home