Virus Database

10past3.b

Description 10past3.b

This is a dangerous, memory-resident parasitic virus. It hooks INT 9 and 21h, and sets INT 1 and 3 to HOLD RESET address, and writes itself to the end of the COM files that are executed or loaded into the memory for debugging or as overlays.
While creating a TSR copy, this virus do not modify the MCB chain, and may halt the system. When the INT 9 is called (keyboard), the virus may change keyboard flags.
Displays the following message:
Therese

Check other viruses! Be aware! Use Antiviral Software

Diametric.3514

Description Diametric.3514

This is a dangerous memory resident parasitic polymorphic virus. It copies parts of its code to DOS kernel and XMS memory, hooks INT 21h, and writes itself to the end of EXE files that are executed, opened and while accessing file attributes. The virus has bugs and in some cases halts the computer.
The virus checks the file name and does not affect the files (anti-viruses) according to the string (two letters per name):
-VADAIAVCPDRF-FIGUIMIVMSNAPCSCSPSSSVTBTOV-VAVSWE

The virus deletes the anti-virus databases:
ANTI-VIR.DAT AVP.CRC CHKLIST.CPS CHKLIST.MS CHKLIST.TAV CRC.SVS FILES.VVL
FINGERP.VVF IM.PRM IVB.INI IVB.NTZ MSAV.CHK SMARTCHK.CPS AV.CRC BOOT.CPS
BOOT.MS BOOT.NTZ BOOT.TAV IV.INI PART.NTZ

The virus uses a quite complex means while installing its TSR copy. First, it allocates a block of XMS memory and copies its code to there. It then obtains the address of the System FCB Tables, decreases their total number and copies its "XMS manager" (94h bytes) to there. The virus also scans the DOS kernel for specific code of the INT 21h original handler and stores its address. Before returning control to the host program, the virus hooks INT 22h. When the host program is terminated, the virus patches the DOS kernel with a FAR JMP call to the virus' INT 21h handler.
The virus keeps its main code in XMS, so that the code is not available for executing and the virus cannot infect the files. To fix this, the virus "XMS manager" copies the main virus code to the video memory at the address BBF0:0100. If this code is not necessary (there is no file to infect), the virus erases it. As a result, there are only 94h bytes of virus code in the DOS memory, and this code is hidden in the DOS kernel.
The virus also contains the text strings:
TBDRVXXX
[DIAMETRIC by Rajaat / Genesis]
[RTFM]

On May 16th, depending on its random counter, the virus executes itself by a video effect - displays "DIAMETRIC" and moves the letters to "MATRICIDE".

Diamond.1063

Description Diamond.1063

These are memory resident parasitic viruses. They hook INT 8, 21h and write themselves to the end of COM- and EXE-files at their loading into the memory. The viruses return "decreased" file length on calling two DOS functions: FindNext and FindFirst FCB. Some time after activation they launch several balls of different colors, randomly moving around the screen (effect is similar to ball movement in the "Ping-Pong" virus case).
"Diamond.1110,1063,Greemlin,RockSteady" are dangerous. Depending on system date they format the hard drive.
These viruses contain the text strings:
"Diamond.1063": DAMAGE!!!!
"Diamond.1110": Jump for joy!!! DAMAGE-B!!
"Greemlin.1146": Greemlin
"Lucifer.1086": Lucifer (C) by C.J.
"RockSteady.666": !RocK STeaDY!

Home