Virus Database

Dementia.4207

Description Dementia.4207




Dementia.4207 is a not dangerous, memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM- and EXE-files that are executed or opened. The virus contains the internal text strings:
!#TEMP#!
REQUEST.IVA
RECEIPT.IVA
CALLFAST.COM
*.*
Dementia] Copyright 1993 Necrosoft enterprises - All rights reserved
I am the man that walks alone
And when I'm walking a dark road
At night or strolling through the park
When the light begins to change
I sometimes feel a little strange
A little anxious when it's dark

On opening of any ZIP-file, the virus scans the contents of the ZIP-file for the REQUEST.IVA file. If there is no such file inside of the ZIP archive, the virus creates the CALLFAST.COM file, writes into there the video-effect routine, infects CALLFAST.COM and appends this file to the files stored in the ZIP archive.
Thus, the virus "infects" ZIP-files, which, after "infection" contain an infected copy of the virus.
If there is a REQUEST.IVA file in the ZIP-archive, and if this file also is in a special format (ID-string 92h,14h,76h,17h, and one or more file search patterns) the virus creates a file called RECEIPT.IVA, searches for the files which are listed in the REQUEST.IVA file, copies them into RECEIPT.IVA, encrypts the result, and stores it into the ZIP.
Thus the virus is able to "steal" files from the computer and save them into the ZIP containing the special REQUEST.IVA file.
While processing the ZIP-files the virus does not call the PKZIP/PKUNZIP utilities, but parses by itself the internal ZIP-format, reads/writes the ZIP-records and adds new ones. While writing new data into the ZIP-files, the virus does not use compression, but writes it in not compressed form (ZIP-method "stored").
The virus dropper (the CALLFAST.COM file) contains the routine which displays the following text on execution:
DEMENTIA
(512)PRI-VATE ú 0 day wares ú V-X
800 megs online ú USR Dual 16.8k
-- Psychotech <Image> -/-

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.CoolZero

Description Macro.Word.CoolZero

This is a harmless macro virus. It contains five macros: AutoOpen, AutoExec, AutoNew, AutoClose, CoolZero. It infects the system on opening an infected document (AutoOpen and AutoExec) and writes itself to documents on opening, creating and closing (AutoOpen, AutoNew, AutoClose, AutoExec). The CoolZero macro is virus' ID-macro.

Macro.Word.Cop

Description Macro.Word.Cop

This virus contains five macros: cop, AutoNew, AutoExec, AutoOpen, AutoClose. The virus infects the global macros area on opening an infected document (AutoOpen). It writes itself to documents that are created or closed (AutoNew, AutoClose). The virus detects itself in documents by macro "cop" that contains the commented text:
A Virus from Nightmare Joker's Demolition Kit!

Home