Virus Database

Dementia.4207

Description Dementia.4207




Dementia.4207 is a not dangerous, memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM- and EXE-files that are executed or opened. The virus contains the internal text strings:
!#TEMP#!
REQUEST.IVA
RECEIPT.IVA
CALLFAST.COM
*.*
Dementia] Copyright 1993 Necrosoft enterprises - All rights reserved
I am the man that walks alone
And when I'm walking a dark road
At night or strolling through the park
When the light begins to change
I sometimes feel a little strange
A little anxious when it's dark

On opening of any ZIP-file, the virus scans the contents of the ZIP-file for the REQUEST.IVA file. If there is no such file inside of the ZIP archive, the virus creates the CALLFAST.COM file, writes into there the video-effect routine, infects CALLFAST.COM and appends this file to the files stored in the ZIP archive.
Thus, the virus "infects" ZIP-files, which, after "infection" contain an infected copy of the virus.
If there is a REQUEST.IVA file in the ZIP-archive, and if this file also is in a special format (ID-string 92h,14h,76h,17h, and one or more file search patterns) the virus creates a file called RECEIPT.IVA, searches for the files which are listed in the REQUEST.IVA file, copies them into RECEIPT.IVA, encrypts the result, and stores it into the ZIP.
Thus the virus is able to "steal" files from the computer and save them into the ZIP containing the special REQUEST.IVA file.
While processing the ZIP-files the virus does not call the PKZIP/PKUNZIP utilities, but parses by itself the internal ZIP-format, reads/writes the ZIP-records and adds new ones. While writing new data into the ZIP-files, the virus does not use compression, but writes it in not compressed form (ZIP-method "stored").
The virus dropper (the CALLFAST.COM file) contains the routine which displays the following text on execution:
DEMENTIA
(512)PRI-VATE ú 0 day wares ú V-X
800 megs online ú USR Dual 16.8k
-- Psychotech <Image> -/-

Check other viruses! Be aware! Use Antiviral Software

Mirror.4130

Description Mirror.4130

It is a harmless memory resident parasitic stealth polymorphic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are accessed. It contains the text strings:
[ Mirror: Bit Addict / TridenT ]
COMSPEC=

The virus uses very unusual way of infection. It realizes the "anti-stealth" technique, that virus is "reverse" one. While accessing to not infected files with any DOS command they appears as infected, but the virus does not infect them on disk. The virus substitutes the original body and length of not infected files with their infected form. While viewing by any editor these files are visible as containing the virus code, but these files are not infected in real. DIR command reports increased file lengths. The way to infect the files is to copy them to not COM/EXE extensions, or pack with any packer such as ZIP or ARJ.

Misis.a

Description Misis.a

This is a memory-resident harmless boot virus. It hits the MBR of hard drive on booting from the infected floppy, and the floppy Boot-sectors on reading/writing the disk sectors. It hooks INT 13h. Sometimes it displays the messages in Russian.

Home