Virus Database

CmosDead family

Description CmosDead family

These are very dangerous memory resident parasitic polymorphic and stealth viruses. They trace and hook INT 21h, stay memory resident and then write themselves to the end of COM and EXE files that are accessed. The viruses do not infect the anti-virus programs and several utilities:
AVG SYS SCAN CLEAN WIN TBAV PROT GUARD VS 286 386 DSK

When CHKDSK is run, the viruses disable their stealth routines. In some cases when listed above programs are executed, the viruses display the message and disable executing:
I don't like this program !

The viruses use anti-debug tricks. Under debugger they display the message and halt the computer:
BE CAREFUL !

Depending on their internal counters the viruses hook INT 9 (keyboard), corrupt the CMOS, display the message:
GRISOFT(c) SOFTWARE 1989,96

and manifest themselves with a video effect. If Ctrl-Alt-Del keys are pressed during effect, the viruses call disk formatting BIOS routine.
In some cases the viruses call the same effect routine, then they overwrite the MBR of the hard drive with a program that displays on booting:
CMOS-DEAD: DATA DESTROYED !

The viruses also contain the text string:
Hello Mr. Odehnal !

as well as:
"Odehnal.4792": EXECOM12/19/91
"Odehnal.5154": EXECOM06/12/95

Check other viruses! Be aware! Use Antiviral Software

Civil.6656.a

Description Civil.6656.a

It is a very dangerous and memory resident virus. It infects EXE-files and MBR of the hard disk in a standard way. The MBR is hit when an infected file is started. The virus saves its part and the MBR sector at the location 0/0/2 (track/head/sector).
The virus infects memory while booting from an infected disk. After that it infects files only. The virus hooks INT 8, 9, 11h, 17h, 21h and manifests by many manners: it formats the disks, types the texts in Russian and in English (rude also), prints some strings, play a music. It contains the strings:
CIVIL DEFENSE VIRUS VER 1.1
Formating disc c: complete.
Format another ? (y/n)
Hard disk 1 formated. All your data lost.
How are you feel now ?
Press any key

CivilWar.Antidaf.561

Description CivilWar.Antidaf.561

It's avery dangerous not memory resident encrypted parasitic infector. It searches for .COM-files and infects them by a standard manner. In November on every Monday it types the message and erases FAT sectors of current drive:
The Anti-DAF virus
DAF-TRUCKS Eindhoven
Hugo vd Goeslaan 1
Postbus 90063
5600 PR Eindhoven, The Netherlands
DAF sucksall
(c) 1992 Dark Helmet & The Virus Research Centre

Home