Virus Database

Crusade.3072

Description Crusade.3072

Crusade.3072 is a not dangerous memory resident multipartite stealth virus. While executing of infected file the virus traces INT 13h, infects MBR of the hard drive, then it hooks INT 21h and writes itself to the end of COM- and EXE-files that are accessed. The virus does not infect the file it the file name contains the symbols:
MM ID SC RG WE VI AD

While loading from infected MBR the virus also hooks INT 13h (stealth routine) and INT 1Ch (trigger routine). The trigger routine is executed in 5 hours after booting from infected hard drive. That routine decrypts and displays the message:
+--------------------+
¦ LIVE `N` LET LIVE! ¦
+--------------------+

The virus also contains the encrypted text string:
Take care of soft war or Last Crusade.

Check other viruses! Be aware! Use Antiviral Software

TCE.Chaos-AD.3375

Description TCE.Chaos-AD.3375

It is not a dangerous memory resident stealth parasitic virus. While installing the virus performs several unusual actions. First, it gets the address of original INT 21h handler: the virus hooks INT 2Ah, calls INT 21h, then original DOS INT 21h handler calls INT 2Ah (from DOS kernel), the virus receives control, get the address of instruction that calls INT 2Ah, and searches for INT 21h code in that area. Then the virus allocates the system memory (conventional or UMB), stores itself into there, copies a part of its code into the BIOS data area (0000:04B0), and sets INT 21h address to that code. As the result INT 21h address points not to virus code, but to BIOS data area. That code checks presence of a debugger, and passes the control to the virus only if there is no debugger.
Being installed into the system memory the virus writes itself to the end of COM and EXE files that are accessed. While opening an infected file the virus disinfects it, the virus does not disinfect the file if it is opened by archiving utility (see the list below). The virus also pays attention to several disk checking utilities, and disables the part of stealth routine if they are executing, the virus also check the file name and does not infect COMMAND.COM and several anti-virus programs. The list of anti-viruses, disk checking and anti-virus utilities contains two bytes per each of the names, and looks as follows:
anti-viruses: COF-AV-VTBVI00VB
disk checking: CHSCDENDSPPR
archivers: ARPKRAUCLHZIUUIV
The virus also deletes anti-virus database files: CHKLIST.MS, CHKLIST.CPS, ANTI-VIR.DAT.
The 64th generation of the virus hooks INT 9, 2Fh and some time after installation displays the message:
- [CHAOS-AD] - CODED BY SEPULTURA - AUSTRALIA - 1995 -
-=> LIVING-IN-A-DYING-AGE-PERSECUTE-THE-HUMAN-RACE <=-
REFUSE
RESIST
RELOVE
REMATE
SUFFER
REHATE
REJECT
PROGRESS
PROCESS
PROTEST
NO REST
TCE seems to be the next polymorphic generator. The code of that generator contains the text string:
[TCE-0.4]

Tchantches.3303

Description Tchantches.3303

It is a memory resident parasitic encrypted virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are accessed. Sometimes it displays a picture and starts a dialogue with the user, in several cases it reads/writes sectors from/to hard drive. The picture is:
TCHANTCHES démineur v1,10
Portez secours à votre disque dur
_ _
_ _
_ _
_ _
_ _
_ _
_ _
_ _
_ _
_ _
_ _
_ _
_ _
_ _
_ _
_ _
Entrée=Drapeau, Espace=Explorer
(C)Copyright Setaicossa EefaCm '92

Home