Virus Database

Demig.16354

Description Demig.16354

This is a harmless multipartite virus. It infects DOS, MS Windows and MS Office (Excel) files:
DOS: the virus infects COM, EXE and BAT files
Win32: PE EXE files and KERNEL32.DLL library
MS Office: creates Excel "virus dropper" file
The virus itself it Win32 PE EXE program and is able to perform all its functions only being run under Win32 environment. Other infected components are "virus droppers". That means that the virus cannot spread directly from infected file, but uses a trick to drop its Win32 copy from it. When an infected DOS file is run, or affected Excel sheet is opened, the attached virus routine creates the C:DEMIURG.EXE file, extracts Win32 virus code to there and spawns that file. The main virus routine gets control then.
The virus is memory resident under Win32. The affected KERNEL32.DLL hooks file access functions (file opening, copying, moving, accessing file attributes) and infects COM, EXE and PE EXE files that are affected.
While infecting a file the virus writes itself to the end of the file. In case of DOS COM, EXE and BAT files the virus converts them to "droppers". In case of Win32 PE files the virus infects them with its main code, and the virus is able to spread directly from infected file without creating additional files.
To infect Win32 KERNEL32.DLL module the virus uses a trick. That file is permanently used by Windows, and is locked for writing as a result. While infecting the virus copies that file from system Windows directory (where that file is placed by default) to Windows root directory and infects that copy, for example:
C:WINDOWSSYSTEMKERNEL32.DLL - original file in system directory
C:WINDOWSKERNEL32.DLL - infected copy in Windows root directory
When Windows is restarted, it looks for KERNEL32.DLL library first in root Windows directory, then in system directory, and it gets infected library instead of original (clean) one.
To affect MS Excel the virus creates its complete image (in text format) in C:DEMIURG.SYS file, then gets its location from system registry and creates the DEMIURG.XLS file in there. This XLS file contains a short macro subroutine in there that will complete the job. On next start MS Excel will automatically accept that file and ctivate "Auto_Open" subroutine in there. That subroutine will get complete virus code from the C:DEMIURG.SYS file, convert it to binary PE EXE C:DEMIURG.EXE file and spawn it. The main virus code gets control as a result.
While affecting MS Excel the virus also disables VirusProtection Excel option.
The virus doesn't manifest itself in any way. It contains the "copyright" text string:
[The Demiurg] - a Win32 virus by Black Jack
written in Austria in the year 2000

Check other viruses! Be aware! Use Antiviral Software

Pregnant.1199

Description Pregnant.1199

This is a relatively harmless memory resident encrypted parasitic virus. It hooks INT 21h, and writes itself to the beginnings of COM files that are executed. On Friday after 10 p.m., upon the DOS command 'DIR', it displays the following message:
¦ I am the Sexual Virus - I Just Made WILD PASSIONATE LOVE to a Whole Bunch ¦
¦ of Promiscuous Files. But Please Relax - I Promise NOT to DAMAGE ANYTHING. ¦
¦ The Files That Spread Their Hot, Moist Pointers For Me - Are all PREGNANT! ¦
¦ You ll See the Sluts on Friday at 22:00 - Love From PASSION JUNE 1991 (C). ¦

and changes the names of all infected files to "PREGNANT.!!!".

PresidentB.1504

Description PresidentB.1504

This is a very dangerous memory resident encrypted multipartite virus. When an infected file is executed, the virus decrypts itself, hooks INT 13h and 21h, and returns control to the host program. While loading from an infected floppy disk, the virus hooks INT 12h and 13h, and waits for the DOS loading process and hooks INT 21h.
The virus then writes itself to the end of COM and EXE files that are executed or loaded as overlays or for debugging. Upon accessing 1.4Mb-floppy disks, the virus infects their boot sectors.
On April 26th, the virus erases the MBR of the hard drive and displays the following message:
** President B ][ **

Home