Virus Database

Demiurg.3061

Description Demiurg.3061

It is a dangerous memory resident encrypted multipartite stealth virus. It writes itself to the end of COM and EXE files that are created on (copied to) floppy disks, and to the MBR of the hard drive.
While executing an infected file the virus traces INT 13h, 21h, 2Ah, hooks INT 13h and INT 2Ah, then it infects the MBR of the hard drive and stays memory resident. While loading from infected MBR the virus hooks INT 13h, 1Ch, waits for DOS loading process, and then hooks INT 2Ah.
To hook INT 13h the virus patches the DOS kernel in the HMA at fixed offsets. The virus writes to there INT CEh call (CDh CEh) and hooks INT CEh. These offsets are correct for DOS 6.x and may be not correct for other DOS versions. As a result the virus can halt the system. The virus has other bugs, and can halt the system while loading from infected MBR.
The virus INT 13h handler is used to call stealth routine only, and hide the infected MBR. By hooking INT 2Ah the virus receives the control from the DOS kernel, intercepts file accessing calls, and infects the files on the floppy disks only, and that are created and then closed or accessed with FindFirst/Next ASCII calls. While opening an infected file the virus disinfects it.
While opening the A-Dinf-°.°°° file the virus checks the system, and in some cases erases its code from the hard drive. While loading from such disk the system halts.
The virus contains the text strings in Russian and:
Demiurg.
LORD

Check other viruses! Be aware! Use Antiviral Software

Gumbs.3584

Description Gumbs.3584

It is not a dangerous memory resident encrypted, stealth multipartite virus. It hooks INT 13h, 1Ch, 21h, infects the C: drive boot sector and writes itself to the end of EXE files on the floppy disks on file accessing.
When an infected file is executed, the virus writes itself to the boot sector of first drive on the hard disk (C: drive) and returns control to the host file. On rebooting the virus starts from affected boot sector, installs itself into DOS memory and hooks INT 13h and INT 21h.
By hooking INT 13h the virus hides its code presence in C: drive sectors (stealth). By hooking INT 21h the virus also runs its stealth routines, as well as infection.
On accesses to EXE files on floppy drives (A: and B:) the virus infects them. The virus does not infect the files AIDS*.EXE and DRWE*.EXE. The virus also runs its stealth routine to hide infected file length growing on floppy disks as well as on the hard drive.
On April 1st in one case of eight the virus intercepts INT 8 (timer) and plays the "Hey Jude" tune (The Beatles).
The virus contains text string in Russian and the text:
Disk I/O error.

Guppy.152.a

Description Guppy.152.a

It is a memory resident harmless virus. It infects COM-files which begin from JMP command (E9 xx xx ) only. The first infected program is not running because the virus stays memory resident together with it and doesn't give the control back to the infected program. The infector hooks INT 21h.

Home