Virus Database

Cordobes.3294

Description Cordobes.3294

These are dangerous memory resident parasitic polymorphic viruses. They hook INT 21h, intercept FindFirst/Next ASCII calls (AH=4Eh,4Fh) and write themselves to the end of EXE files that are accessed. The viruses delete the CHKLIST.MS file. In four month after infection the viruses append to the end of the C:AUTOEXEC.BAT file the commands:
@Echo Virus "EL MOSTRO CORDOBES".
@Echo No tema por sus datos. Que pase un buen día.
@Echo.
@Pause

Check other viruses! Be aware! Use Antiviral Software

Bat.Naive.4894

Description Bat.Naive.4894

Bat.Naive.4894 is a not dangerous memory resident parasitic virus. It hooks INT 21h and writes itself at the beginning of .BAT-files. The infected file looks as follow (the strings between '[' and ']' are comments):
@rem NAIVE
@if exist naive.* goto naive
@if "%range_check%=="yes goto naive
@echo>naive.com [ binary data1 ]
@naive.com
@if not errorlevel 33 goto superwork
@del>nul naive.com
@goto naive
:superwork
@echo>naive.com [ binary data2 ]
@echo>naive.dat [ ASCII text ]
@echo>>naive.dat [ ASCII text ]
@echo>>naive.dat [ ASCII text ]
[ repeated all ]
@echo>>naive.dat
@naive.comnaive.exe
@del>nul naive.com
@del>nul naive.dat
@naive.exe>nul
@del>nul naive.exe
@set range_check=yes
:naive
[ original BAT-file ]

The "binary data1" contains the code of "Are you here?" call, the "binary data2" contains the ASCII-to-BIN decoder, the "ASCII text" contains the code of the virus converted to ASCII text.
During execution of such a file, the virus receives the control. It checks the ENVIRONMENT area for RANGE_CHECK=YES string and returns if it is set. Then the virus creates the NAIVE.COM file, writes "Are you here?" instructions into there, executes that file and checks the result ERRORLEVEL value.
The NAIVE.COM file contains the INT 21h call with AH=F6h only. If the memory resident virus copy already exist in the memory it returns 12345678h value in CX:DX registers, and NAIVE.COM exits with ERRORLEVEL=33. If there is no TSR virus copy, NAIVE.COM exits with ERRORLEVEL=32.
If the virus is already installed the commands of BAT file delete the NAIVE.COM file and pass the control to original text. In another case the virus creates two files: NAIVE.DAT and NAIVE.COM (the virus overwrites the previous NAIVE.COM file). The virus writes ASCII-to-BIN decoder into COM file, and ASCII data into DAT file. Then the virus executes the command
@naive.comnaive.exe

that creates the NAIVE.EXE file, reads the ASCII data from NAIVE.DAT file, decodes it to binary instructions, and writes into NAIVE.EXE file.
After that conversion the virus deletes NAIVE.COM and NAIVE.DAT files, and executes NAIVE.EXE file. That file installs the virus memory resident and returns to BAT file. The virus after installation deletes NAIVE.EXE file, defines the ENVIRONMENT string RANGE_CHECK=YES, and passes the control to original BAT-file commands.
The NAIVE.EXE file being executed performs the same "Are you here?" call as described above. In case of already installed TSR copy the virus returns with INT 20h call. If there is no TSR copy the virus checks its internal "generation" counter and tries to display the message in Russian, but fails because the virus never increases that counter, and fails twice because all messages are redirected to NUL device:
@naive.exe>nul

Then the virus hooks INT 21h with Get/SetVector DOS functions and leaves its TSR copy with Terminate and Stay Resident INT 27h call.
The INT 21h handler intercepts "Are you here?" AH=F6h function (the virus returns CX:DS=12345678h) and ChangeDir AH=3Bh function. On ChangeDir calls the virus searches for not infected .BAT-files, moves them down for 4894 bytes, and writes into their beginning the BAT instructions are listed above. Then the virus encodes itself into ASCII text, and writes that text into there.

BAT.PG94

Description BAT.PG94

It is a harmless nonmemory resident parasitic BAT virus. It searches for BAT files, then writes itself to the beginning of the file. While infecting a file the virus creates temporary #PG94.~ file in DOS directory, and fails to infect, if there's no such directory on the current drive. The virus also uses the FIND utility, and fails to infect the files if there is no such utility in PATH.
The virus contains the text:
Ha ha ha! Cybrphuc '94

Home