Virus Database

Diametric.3514

Description Diametric.3514

This is a dangerous memory resident parasitic polymorphic virus. It copies parts of its code to DOS kernel and XMS memory, hooks INT 21h, and writes itself to the end of EXE files that are executed, opened and while accessing file attributes. The virus has bugs and in some cases halts the computer.
The virus checks the file name and does not affect the files (anti-viruses) according to the string (two letters per name):
-VADAIAVCPDRF-FIGUIMIVMSNAPCSCSPSSSVTBTOV-VAVSWE

The virus deletes the anti-virus databases:
ANTI-VIR.DAT AVP.CRC CHKLIST.CPS CHKLIST.MS CHKLIST.TAV CRC.SVS FILES.VVL
FINGERP.VVF IM.PRM IVB.INI IVB.NTZ MSAV.CHK SMARTCHK.CPS AV.CRC BOOT.CPS
BOOT.MS BOOT.NTZ BOOT.TAV IV.INI PART.NTZ

The virus uses a quite complex means while installing its TSR copy. First, it allocates a block of XMS memory and copies its code to there. It then obtains the address of the System FCB Tables, decreases their total number and copies its "XMS manager" (94h bytes) to there. The virus also scans the DOS kernel for specific code of the INT 21h original handler and stores its address. Before returning control to the host program, the virus hooks INT 22h. When the host program is terminated, the virus patches the DOS kernel with a FAR JMP call to the virus' INT 21h handler.
The virus keeps its main code in XMS, so that the code is not available for executing and the virus cannot infect the files. To fix this, the virus "XMS manager" copies the main virus code to the video memory at the address BBF0:0100. If this code is not necessary (there is no file to infect), the virus erases it. As a result, there are only 94h bytes of virus code in the DOS memory, and this code is hidden in the DOS kernel.
The virus also contains the text strings:
TBDRVXXX
[DIAMETRIC by Rajaat / Genesis]
[RTFM]

On May 16th, depending on its random counter, the virus executes itself by a video effect - displays "DIAMETRIC" and moves the letters to "MATRICIDE".

Check other viruses! Be aware! Use Antiviral Software

ScreenMixer.1072

Description ScreenMixer.1072

It is not a dangerous memory resident partly encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed or accessed by FCB FindFirst/Next DOS calls (DIR command). Depending on the system timer the virus mixes the letters on the screen.

Script.Inf

Description Script.Inf

This is a script virus that infects Windows INF files. These INF files contain the information that is used during installation a new software, or upgrading already installed programs. They are activated on entering the "Install" item in the context menu of Windows Explorer. To replicate itself the virus uses special script language that is used in the INF files.
When a software with infected INF file is installing, Windows looks for INF file in the package, opens it and processes instructions including virus script commands. The virus code when activated creates the VXER.TXT file, copies the host file to there and appends several DOS commands to the end of the AUTOEXEC.BAT file. On rebooting these commands search for first *.INF file in the WindowsInf directory on the current drive and overwrite it with virus code that was stored in the VXER.TXT file.

Home