Details
DSME.Teacher.a
This is a harmless memory-resident parasitic DSME-based virus. It hooks INT 21h, and writes itself to the end of COM and EXE files that are executed. It contains the following text string:
Teacher virus ( A demo virus for DSME to all teacher )
Details
DSME.DemoVirus
This is a harmless, non-memory resident parasitic DSME-based virus. It searches for COM files, and writes itself to the end of the file. It contains the following text:
This is a DemoVirus for DSME v1.0, Written by Dark Slayer in Keelung,Taiwan
Details
DSME.Connie.2708
This is a harmless memory resident parasitic polymorphic virus. It is not linked with the DSME generator, but it contains a related DSME polymorphic code. It looks like “rough copies” of the DSME generator.
This virus hooks INT 21h, and writes itself to the end of COM files that are accessed. It contains the following text strings “C:\COMMAND.COM” and:
This is Connie v2.0
Written by Dark Slayer in Keelung, Taiwan
Details
DSME.Connie.1746
This is a harmless memory resident parasitic polymorphic virus. It is not linked with the DSME generator, but it contains a related DSME polymorphic code. It looks like “rough copies” of the DSME generator.
This virus hooks INT 21h, and writes itself to the end of COM files that are accessed. It contains the following text strings “C:\COMMAND.COM” and:
This is
Written by Dark Slayer in Keelung TAIWAN
Details
DSME.Apex.2685
This is a relatively harmless, non-memory resident parasitic virus. It searches for COM files, and writes itself to the end of the file. In September, it manifests itself in the form of sound and video effects, and it displays the following text string:
My name is APEX v1.0_ Congratulations! PS:I wouldn’t hurt your data.Be relax!.Ha
Details
DSME-based Viruses
DSME (Dark Slayer’s Mutating Engine) is a polymorphic generator like the MtE or TPE generators. It creates the decryption routine and encrypts the virus body, then the virus saves this part of code in file on infection. This generator contains the internal string: “DSME v1.0″.
DSME.Apex
It’s a not dangerous not memory resident parasitic virus. It searches for .COM-files and writes itself to their ends. In September it manifests itself with sound and video effects. Tt displays the text string:
My name is APEX v1.0_ Congratulations! PS:I wouldn’t hurt your data.Be relax!.Ha
DSME.Connie
These are harmless memory resident parasitic polymorphic viruses. They are not linked with DSME generator but they contain DSME related polymorphic code. They look like “rough copies” of DSME generator.
These viruses hook INT 21h and write themselves at the end of COM-files are accessed. They contain the internal text strings “C:\COMMAND.COM” and:
“DSME.Connie.1746″: This is
Written by Dark Slayer in Keelung TAIWAN
“DSME.Connie.2708″: This is Connie v2.0
Written by Dark Slayer in Keelung, Taiwan
DSME.DemoVirus
It’s a harmless not memory resident parasitic DSME-based virus. It searches for .COM-files and writes itself to their ends. It contains the internal text:
This is a DemoVirus for DSME v1.0, Written by Dark Slayer in Keelung,Taiwan
DSME.Teacher
It’s a harmless memory resident parasitic DSME-based virus. It hooks INT 21h and writes itself to the end of COM- and EXE-files that are executed. It contains the internal text string:
Teacher virus ( A demo virus for DSME to all teacher )
Details
DSCE.Demo.2941
It’s harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM- and EXE-files that are executed. It contains the internal text string:
This is a DSCE’s Demo Virus written by [P.F]
Details
DSCE-based viruses
It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. It contains the text string:
This is a DSCE’s Demo Virus written by [P.F]
Details
DS.512.a
It’s a dangerous memory resident parasitic stealth virus. It installs itself in system memory without correction of system memory blocks, which can cause a system crash. Then the virus hooks INT 13h (for stealth routine), INT 21h (for infection routine) and hits \COMMAND.COM file. Then it writes itself into the middle of COM- and EXE-files that are executed. It infects some files incorrectly, they halt the system on execution. It contains the internal string: “DS”.
Details
DS.3783
This is a relatively harmless, memory resident multi-partite stealth virus. It infects COM, EXE, NewEXE files, the MBR of the hard drive and the boot sector of floppy disks. While infecting DOS files, the virus writes itself to the end of the file and modifies the file header. While infecting NewEXE files, the virus also writes itself to the end of the file, but modifies NewEXE header - creates new Segment Table, fixes other fields in NewEXE header and defines a new code segment that contains the virus’ code.
While infecting floppy disks, the virus formats an extra track (80th) and writes itself into there. While infecting the MBR, the virus writes itself to the hidden sectors of the first track. Then the virus overwrites the boot sector or the MBR with the loading code (1Ch bytes).
When the system is booting from an infected disk, the loader reads the virus’ code from the disk to address 7C00:0000 and passes control to virus installation routine. This routine hooks INT 13h, and returns control to the original bootstrap procedure.
INT 13h handler waits for the DOS loading process, then the virus patches a DOS kernel with CALL FAR VirusHandler calls and hooks INT 21h, 2Ah, an 2Fh. When the first program is executed, the virus allocates a block of UMB or conventional memory and copies itself to there. Then the virus infects executable (DOS COM, EXE and Windows NewEXE) files that are accessed and the boot sector of floppy disks.
When infected COM or EXE files is executed, the virus cuts a block of conventional memory, copies itself to there, hooks INT 13h, 21h, 2Ah, and 2Fh and stays memory resident. When an infected NewEXE file is executed, the virus installs itself memory resident by using DPMI calls.
The virus checks the file names that are accessing a file, and in case of archive, backup and disk checking utilities, disables several branches of its stealth routine. The list of such utilities appears as follows:
PKZIP ARJ RAR LHA TELIX BACKUP MSBACKUP CHKDSK
The virus detects its already loaded TSR copy by a INT 21h call with AX=187Fh and BX=4453h (”DS” string; thus the virus’ name), the memory resident copy returns BX=87A1h.
Text added: Oct-23-1996
Details
Drzip.512
It is not a dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself at the begin of COM files that are accessed. The virus also encrypts hole host file. On opening ZIP files the virus reads their headers, looks for ZIP archive signature and overwrites its. As a result ZIP archives become damaged.
The virus contains the text string:
[SMF.DrZip]
Details
Drwatson.1503
It is a memory resident very dangerous virus. When the virus starts, it creates the file C:\DRWATSON.COM, writes its copy into this file and then inserts the command @drwatson into the file AUTOEXEC.BAT beginning. Other files are not infected. While accessing to file AUTOEXEC.BAT the virus uses stealth algorithm.
This infector stops tracing: it types “Tracing mode has been destroyed” and exits to DOS. If the virus body is traced the infector erases the content of FAT of current disk and reboots the computer.
Details
DrunkAvenger
It’s a harmless memory resident parasitic virus which hooks INT 21h and infects .COM-files on FindFirst/Next FCB call. It contains the internal text string “DIR by Drunk Avenger [PuKE] x92!”.
Details
Drop.1131
It is a memory resident harmless virus. It infects COM- and EXE-files by standard way when they are accessed. It hooks INT 1Ch and 21h. Depending on its internal counter the infector can drop letters on the screen.
Details
Dron.1024
It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of EXE-files that are executed. Depending on its internal counters the virus displays some picture (corrupted?) and the message:
Moscow Institute of Physics and Technology (c) 1994
The virus also contains the text string:
* DRON Ver 1.00, PhysTech,(c) 1994 *