Virus Database

Cholera Family

Description Cholera Family

These are dangerous memory resident parasitic viruses. They hook INT 21h and write themselves to the end of .COM- and .EXE-files that are executed. They infect some files incorrectly, these files halt the system on execution. Depending on the system time these viruses also hook INT 08h and delay on each timer tick. They contain the internal text strings:
"Cholera.a": Cholera v1.0 by dr Hellraiser 94-02-03
"Cholera.b": Cholera v2.0 by dr Fleischman 93-12-29

Check other viruses! Be aware! Use Antiviral Software

Sayha.4000

Description Sayha.4000

It is not a dangerous(?) memory resident parasitic encrypted virus. It hooks INT 16h, 21h and writes itself to the end of COM and EXE files that are accessed. It contains the text string:
SW Error V2f Sayha Watpu

and displays the message:
Sayha Watru

SayNay Family

Description SayNay Family

These are not dangerous nonmemory resident parasitic viruses. They search for .COM files, then write themselves to the end of the file.
These viruses drop their source assembler code into ASM file. To do that the viruses contain this source code in their bodies in encrypted form, and that is why the length of the virus is more than 5K.
To drop that code the virus checks the command line for "NAY" argument. If that argument is found, the virus displays the message:
Magic! ;)

and creates the SAYNAY.ASM and SAYNAY.BAT files. Then the virus writes the source code to the SAYNAY.ASM file, and writes the strings:
TAsm /M2 SayNay.Asm
TLink /T SayNay.Obj
Copy /B SayNay.Com+SayNay.Asm

to the SAYNAY.BAT file. As a result there are two files - the former contains virus' source texts, and the letter contains instructions how to compile the source text and build the virus. Being executed BAT file runs Assembler and Linker to make the "intermediate" virus code that contains the binary code, but not the source text. Then the virus appends the source text to binary code by COPY command, and the result file contains the virus with its source text in not encrypted form. Being executed the virus encrypts that source text, searches and infects .COM files.

Home