Devastator_II.a
Description Devastator_II.a
These are very dangerous memory resident stealth parasitic viruses. They copy themselves to the DOS data area (address 0000:0500) or to Interrupt Vectors Table (address 0000:0200), hook INT 13h, 21h and write themselves to the beginning of .COM files that are accessed by DOS functions FindFirst/Next ASCII. While executing a file DOS also calls FindFirst, so the viruses also affect the files that are executed.
The viruses uses way of infection similar to the "Int13" virus. While infecting a file the viruses move its beginning (512 bytes) to the end of the file, intercept (by hooking INT 13h) absolute disk address while writing to the end of the file and store that address. Then the viruses overwrite the file beginning with their own code and do not increase the file length. To read original file beginning the viruses use absolute disk address - they read it by INT 13h DiskRead call. As a result the files are lost while copying them - the stored absolute addresses are incorrect for newly created copies.
The viruses contain the text:
Devastator
Check other viruses! Be aware! Use Antiviral Software
Andromeda.758
Description Andromeda.758
It's a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself at the end of .COM-files (except COMMAND.COM). It searches for the files for infection on execution of any program. On infection it uses FCB functions of file reading/writing. On October, 5th it erases the FAT of A: drive. It contains the internal text string "[ANDROMEDA V1.1] BUDAPEST HUNGARY".
Andry.2900
Description Andry.2900
It is a dangerous memory resident parasitic virus. It hooks INT 9, 21h and writes itself to the end of COM and EXE files that are executed. After infecting a file the virus attempts to infect the COMMAND.COM file in the root directory on the current disk.
The virus has errors and infects files two and more times. It also installs itself in the memory so many times as infected programs are executed. As a result in some time DOS memory will be occupied by virus copy and the system will not load any application.
By hooking INT 9 (keyboard) the virus depending "eats" each 100th keystroke. On March 1st the virus displays the message:
+----------------------------------------------------------------+
| xxxxx xxx xx xxxxx xxxxxx xx xx |
| xx xx xx x xx xx x xx xx xx xx |
| xxxxxxx xx x xx xx xx xxxxxx xx |
| xx xx xx x xx xx x xx xx xx |
| xx xx xx xxx xxxxx xx xx xx |
| |
| xxxxx xx xx xxxxxx xx xxxxx xxxxxxxx xx xxxxx xxx xx |
| xx xx xx xx xx xx xx xx xx xx xx xx x xx |
| xx xxxxxxx xxxxxx xx xxxxx xx xx xxxxxxx xx x xx |
| xx xx xx xx xx xx xx xx xx xx xx xx x xx |
| xxxxx xx xx xx xx xx xxxxx xx xx xx xx xx xxx |
+----------------------------------------------------------------+
The virus then waits for March 2nd and displays:
ANDRY CHRISTIAN VIRUS WILL BE -->
ACTIVE NEXT YEAR !
The virus also contains the text string:
~INA (ž) 1997 Hackware Technology Research~
|