Dementia.4207
Description Dementia.4207
Dementia.4207 is a not dangerous, memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM- and EXE-files that are executed or opened. The virus contains the internal text strings:
!#TEMP#!
REQUEST.IVA
RECEIPT.IVA
CALLFAST.COM
*.*
Dementia] Copyright 1993 Necrosoft enterprises - All rights reserved
I am the man that walks alone
And when I'm walking a dark road
At night or strolling through the park
When the light begins to change
I sometimes feel a little strange
A little anxious when it's dark
On opening of any ZIP-file, the virus scans the contents of the ZIP-file for the REQUEST.IVA file. If there is no such file inside of the ZIP archive, the virus creates the CALLFAST.COM file, writes into there the video-effect routine, infects CALLFAST.COM and appends this file to the files stored in the ZIP archive.
Thus, the virus "infects" ZIP-files, which, after "infection" contain an infected copy of the virus.
If there is a REQUEST.IVA file in the ZIP-archive, and if this file also is in a special format (ID-string 92h,14h,76h,17h, and one or more file search patterns) the virus creates a file called RECEIPT.IVA, searches for the files which are listed in the REQUEST.IVA file, copies them into RECEIPT.IVA, encrypts the result, and stores it into the ZIP.
Thus the virus is able to "steal" files from the computer and save them into the ZIP containing the special REQUEST.IVA file.
While processing the ZIP-files the virus does not call the PKZIP/PKUNZIP utilities, but parses by itself the internal ZIP-format, reads/writes the ZIP-records and adds new ones. While writing new data into the ZIP-files, the virus does not use compression, but writes it in not compressed form (ZIP-method "stored").
The virus dropper (the CALLFAST.COM file) contains the routine which displays the following text on execution:
DEMENTIA
(512)PRI-VATE ú 0 day wares ú V-X
800 megs online ú USR Dual 16.8k
-- Psychotech <Image> -/-
Check other viruses! Be aware! Use Antiviral Software
Int10 Family
Description Int10 Family
These are not dangerous memory resident boot viruses. They hook INT 10h, 13h and 1Ch. Int 10h is used for INT 13h interception, INT 1Ch - for trigger routine, INT 13h - for infection. They hit MBR of hard drive and boot-sectors of floppy-disks. The viruses encrypt original sector before saving it. Sometimes they call some video effect.
Int12
Description Int12
It is a harmless memory resident boot virus. The virus infects the boot sector of floppy disks and first boot sector of the C: drive. While infecting a boot sector the virus searches for the string "non-system disk" (any-cased) in there, and replaces the following texts with the virus installation code (40 bytes). Then the virus writes its main code to the last sector on the disk.
While loading from an infected disk the virus installation code reads the main virus code and jumps to there. Then the virus hooks INT 12h, waits for DOS loading process, then hooks INT 13h and infects the disk boot sectors that are accessed.
The virus contains the encrypted text strings:
LOVE
non-system disk
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
|