Details
ABCD.a
It’s a harmless boot virus. On loading from infected disk, it hooks INT 13h and writes itself into boot sectors of floppy disks. It infects the hard drive on loading from infected floppy. It uses the ID-word ABCDh.
Details
Armee.a
This is a dangerous memory resident boot infector. It infects the boot sectors of the hard drive and the floppy disks.
The virus infects the hard drive while loading from an infected floppy disk. Then it hooks INT 13h, and infects the floppy disks that are accessed - these floppies are infected by the “Brain” method. On February 7th the virus displays a message and erase the disk sectors:
Schafft die Schweizer Armee ab !
Microsoft’s Windows Genuine Advantage (WGA) program designed to combat pirated versions of Windows is facing its first lawsuit only one week after the final version was released. The beta version of the software was out for about a year and was known to be very controversial. A court filing by Los Angeles resident Brian Johnson asks for an injunction that prevents Microsoft from continuing to use the check-in feature of WGA in future releases. The suit asks the court award the plaintiff and class action members “…full restitution of all monies wrongfully acquired by the Defendant by means of the wrongful conduct alleged herein….” It does not state a monetary value. One complaint of the lawsuit is that the software does not ask permission before checking in. Microsoft said it does not collect any identifying information on the user during the checks. If an illegal version of Windows is found, WGA sends out messages about not running a “genuine” copy of Windows and direct the user to Microsoft Web sites to purchase a genuine copy.
Details
ABC.2378
It is very dangerous memory resident virus. It infects COM- and EXE-files while DOS accesses them. The virus manifests itself from 13th of every month: it checks keyboard and after double pressing of any key duplicates this key (for example the keyboard input “1001″ is transferred to “10001″). The infector writes a small program into files that tries to erase the FAT of all hard disks after starting. The virus hooks INT 16h, 1Ch, 21h.
The virus uses very powerful algorithm of en/decryption. The en/decryptor contains much of the assembler commands ADD, SUB, XOR in random order.
Details
Armagedon.203
This is a dangerous memory resident parasitic virus. It hooks INT 8, 21h and writes itself at the beginning of COM files (except COMMAND.COM) which are executed. From 5.00am to 6.00am it works with COM port, it looks like it tries to call some phone number via modem.
The virus contains the text:
Armagedon the GREEK
Details
Abbas.5660
This is a dangerous memory resident parasitic virus. It hooks INT 9, 21h and writes itself to the end of COM and EXE files that are executed.
By using INT 9 (keyboard) the virus checks INT 1 (trace), and while tracing it displays the message:
IRANIAN VIRUS W.by ABBAS KUHKAN ALIABADI
and halt the computer.
The viruses also contain the text string:
KUH
Depending on the system timer “Abbas.5660″ loads some font, and displays (persian?) messages.
Details
ArjVirus
It’s a dangerous not-memory resident virus. It searches for the archive files and infects them. Fortunately, it searches only for the format of archivators. The archive files for infection should be in ARJ standard only. These file-archives are the result of the ARJ.EXE compressor’s work.
ARJ.EXE is an archiver program which allows to compress and store one or more files (including subdirectories) in one or several archives (in slang - arjive) files in compressed format. This software is copyrighted (c) 1990-1993 by Robert K Jung.
This virus, which is a worm more than a standard DOS virus, is 5000 bytes of length. It updates these files by its (virus) copy. On execution, this infector searches for the files with ARJ extension by using “*.arj” mask (the files with ARJ extension are created by the ARJ.EXE utility and contain the compressed files). It searches for ARJ files in the current and all the parent directories.
If the ARJ archive file is found, the virus creates a temporary file with a random selected name and COM extension. This name consist of four letters from ‘A’ t0 ‘V’; the ‘V’ limitation is because this virus uses the 0Fh limit for letter number, the 15th (0Fh) letter is ‘V’. The result names looks as BHPL.COM, NLJJ.COM, OKPD.COM etc. Then the virus writes itself (5000 bytes) into this COM file, and for hiding it appends to the file the garbage bytes of random selected length. The virus checks that the length of that garbage should not exceed the maximum length of executable COM file. The length of the result worm files are more than 5000 bytes. The 5000 bytes is the length of worm’s body which is stored in file on any infection.
Then the virus inserts that file into the archive which was found. It does it by the easiest way - the virus forces the ARJ.EXE utility to make it. One of ARJ.EXE switches is “a” character, it forces to add the file(s) in ARJ archive file. And the virus uses this option, it executes the ARJ.EXE with “a” character by using the standard C function. The string which is executed looks as:
c:\command.com /c arj a
where
On execution of this command the archiver ARJ.EXE compresses and adds the worm into the archive file which was found. Then the virus deletes the temporary file and searches for the next ARJ file. If there are no archive files in the current directory, the virus jumps to the parent one. If the current directory is the disk root directory, the virus returns to DOS.
One of the features of this infector is duplicate infection. On execution of the archive the virus does not check the file for its presence, and how can it do this? To check the archive inside is not an easy task, and I see that the author of this virus did not set it (duplicate infection) as an object. He realized the new idea by the easiest way, not more.
The virus generates random names of the worm files. Sometimes it can generate the name which is present in ARJ file which is for infection. As the result, that file will be overwritten by the virus and the contents of that file will be lost. Of course, the probability of execution of worm file grows in that case.
For hiding its spreading the virus hooks INT 10h - the video interrupt. It sets it to IRET instruction which disables the standard output to the screen. This feature hides the virus, but if on virus activity errors occur, the ARJ.EXE program or DOS will display the error message (for example, “Write protect error writing drive A:”) and wait for the answer. But the virus disables the output, and the user will see the blank screen only. It looks as the computer hangs up. By the way, the virtual DOS machine under MS-Windows switches for full screen text mode on write protect error, and it’s impossible to switch to another task. Last note: this virus contains the short internal text string:
*.arj .. 0000.com /c arj a c:\command.com
Details
Abbas.1320
This is a dangerous memory resident parasitic virus. It hooks INT 9, 21h and writes itself to the end of COM and EXE files that are executed.
By using INT 9 (keyboard) the virus checks INT 1 (trace), and while tracing it displays the message:
ANTI VIRUS Writen By ABBAS KUHKAN Virus Found !
and halt the computer.
The viruses also contain the text string:
KUH
Details
ArjRar.2821
This is a relatively harmless, non-memory resident virus-worm. It searches for ARJ and RAR archives and appends its copy to archives that are found. The virus copy in archives is stored in the format of ARJ or RAR data and has the filename RUNME.COM in ARJ archives and RUN_ME_.COM in RAR. These “run-me” files contain a copy of the virus, and upon being extracted from an infected archive, they may spread the virus code to other archives.
In August, the virus drops the file PRESENT.COM, and upon being executed, it displays the following texts:
Citat klasika:
K anielovi chrbtom.
Tak zacal som cestou hirechu ist.
K anielovi chrbtom,
len 12 krokov,
a 12 ozvien na ne,
a dosiel som tam,kam som nemal prist
Dedicated to my friends Suzy&PEDRO
[an ANGEL-Sign of immortality]
by Blesk 8^)
Present by Blesk wish You
HAPPY B-DAY
Suzy
The virus also contains the following text strings:
*.ARJ *.RAR
RAR’n'ARJ Dropper by Qark/VLAD.
RAR support included by Blesk
Details
Abba.9849.a
ABBA is a memory resident parasitic virus. It “hooks” itself to INT 21h and writes itself to the end of .COM and .EXE files that are executed.
Abba contains the following internal text strings:
\COMMAND.COM
Program too big to fit in memory
:\ABBA+?*.*
E:\ABBA+?
The virus creates “ABBA+?nn” files with HIDDEN and READONLY attributes on the current drive, where “nn” is the number of files to be infected on this drive (with each infection the virus renames the infected file with an increased “nn” number). Depending on this number the virus manifests itself with a video effect if there is a Hercules video card installed.
Details
ArjDropper.402
It is a harmless nonmemory resident virus-worm 402 bytes of length. When an infected file is executed, the virus searches for ARJ archives and appends its copy to archives that are found. The virus copy in archives is stored in format of ARJ data and has the filename RUNME.COM. This RUNME.COM file contains a copy of the virus, and being extracted from infected archive it may spread the virus code to other archives. The virus contains the text strings:
*.ARJ
ARJDrop by Qark/VLAD
RUNME.COM
Details
Abal.758
It’s not dangerous not memory resident parasitic virus. It searches for .COM-files excluding COMMAND.COM and writes itself at their beginnings. It contains/displays the internal text strings:
Not enough memory
ABAL - 758 (I)Virus
Details
Arianna.3426
This is a memory resident multipartite, encrypted and stealth virus. While executing an infected file it infects the MBR of the hard drive. While loading from infected MBR it hooks INT 1Ch, waits for DOS loading, then hooks INT 13h for stealth algorithm while accessing to infected MBR, and INT 21h to infects the files. It writes itself to the end of EXE files that are accessed. When an infected file is opened, the virus disinfects it.
Sometimes the viruses manifest themselves with a video effect and erase the original MBR sector (not first hard drive sector, but the sector containing the original MBR that was saved while infecting a disk). The viruses contain the text strings:
Coded in BARI ThanX to DOS UNDOCUMENTED
Check the code to discover the virus name
It is very easy ! Bye !!
Details
AAV.8224
It is a very dangerous memory resident parasitic virus. It hooks INT 10h, 13h, 16h, 21h and stays memory resident. When any file is executed, or on DOS GetDiskSpace call, or in its INT 10h handler, if the system is not busy, the virus searches for .COM and .EXE files and writes itself to the end of the file.
The virus pays special attention for C:\COMMAND.COM file and infects it in the way similar to the “Peasant” virus - it overwrites the beginning of the COMMAND.COM with 512 bytes of virus loader and saves the original COMMAND.COM’s header and the rest of the virus code to the not used sectors of the first track on the hard drive.
When infected COMMAND.COM is executed, virus loader reads the rest of the virus code from the hard drive, stays memory resident, then restores the original beginning of COMMAND.COM and returns control.
This way of infection may corrupt the data and the files. The virus may also halt the system while loading memory resident - it uses quite complex way of interrupts hooking/releasing and may corrupt DOS kernel.
Depending on the system time, date and several other conditions the virus displays the messages in Chinese and in English:
THIS FILE MAY BE INFECTED WITH VIRUS
TO KILL VIRUS,YOU CAN REINSTALL THIS FILE
IDEARS AUTO_ANTI_VIRUS SOFTWARE GROUP AAV MARK:4540055520
AUTO_ANTI_VIRUS
THIS FILE IS SAFE THANKS FOR USE AAV
IDEARS AUTO_ANTI_VIRUS SOFTWARE GROUP AAV MARK:4540055520
Details
Arianna.3375
This is a memory resident multipartite, encrypted and stealth virus. While executing an infected file it infects the MBR of the hard drive. While loading from infected MBR it hooks INT 1Ch, waits for DOS loading, then hooks INT 13h for stealth algorithm while accessing to infected MBR, and INT 21h to infects the files. It writes itself to the end of EXE files that are accessed. When an infected file is opened, the virus disinfects it.
Sometimes the viruses manifest themselves with a video effect and erase the original MBR sector (not first hard drive sector, but the sector containing the original MBR that was saved while infecting a disk). The viruses contain the text strings:
Coded in BARI ThanX to DOS UNDOCUMENTED
See you for a new virus release. Bye !