Demiurg.3061
Description Demiurg.3061
It is a dangerous memory resident encrypted multipartite stealth virus. It writes itself to the end of COM and EXE files that are created on (copied to) floppy disks, and to the MBR of the hard drive.
While executing an infected file the virus traces INT 13h, 21h, 2Ah, hooks INT 13h and INT 2Ah, then it infects the MBR of the hard drive and stays memory resident. While loading from infected MBR the virus hooks INT 13h, 1Ch, waits for DOS loading process, and then hooks INT 2Ah.
To hook INT 13h the virus patches the DOS kernel in the HMA at fixed offsets. The virus writes to there INT CEh call (CDh CEh) and hooks INT CEh. These offsets are correct for DOS 6.x and may be not correct for other DOS versions. As a result the virus can halt the system. The virus has other bugs, and can halt the system while loading from infected MBR.
The virus INT 13h handler is used to call stealth routine only, and hide the infected MBR. By hooking INT 2Ah the virus receives the control from the DOS kernel, intercepts file accessing calls, and infects the files on the floppy disks only, and that are created and then closed or accessed with FindFirst/Next ASCII calls. While opening an infected file the virus disinfects it.
While opening the A-Dinf-°.°°° file the virus checks the system, and in some cases erases its code from the hard drive. While loading from such disk the system halts.
The virus contains the text strings in Russian and:
Demiurg.
LORD
Check other viruses! Be aware! Use Antiviral Software
Lichen.1024
Description Lichen.1024
It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. In one month after infecting the virus also hooks INT 8,9 and manifests itself by a video effect.
Lifeform.2101
Description Lifeform.2101
It is a very dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are closed (i.e. the virus infects files that are copied, modified or scanned). On debugging or opening an infected file the virus disinfects it (stealth). On accessing infected files length the virus decreases it; when the F-PROT anti-virus or the ARJ, RAR, PKZIP, LHA, BACKUP utilities are run, the virus disables this stealth routine.
The virus also fools the AVPLITE and F-PROT anti-virus programs. When AVPLITE is run, the virus adds the "disable heuristic scanning" to the end of command line. When F-PROT reads data from files to scan them for viruses, the virus fills data buffer with garbage. The virus also deletes the anti-virus data files: ANTI-VIR.DAT, CHKLIST.MS, SMARTCHK.CPS, AVP.CRC, IVB.NTZ, CHKLIST.TAV. Under debugger the virus corrupts the CMOS checksum field and halts the computer. On May 23th the virus erases the data on the hard drive, corrupts the CMOS and displays the message:
-- [LifeForm] coded by ThE_WiZArD (1998) --
Cooler than a body on ice, Hotter than a rollin`dice
Wilder than a drunken fight all You`re gonna burn tonight
The virus also contains the text strings:
#ThE_WiZArD
Quo vadis Fridrik? ... and you Frans still working on this shit.
|
Home
Viruses from A to Z
0-9
A
B
Ñ
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
|