Details
DrJohn.2000
It is not a dangerous memory resident parasitic virus. It writes itself to the end of COM and EXE files. When an infected file is executed, the virus infects the C:\COMMAND.COM file, then hooks INT 13h, 21h and infects the files that are opened. Depending on the system date (one month after infecting) the virus displays the message in Russian. The virus also contains the text strings:
c:\command.com
*Doctor John*!
Details
Drizzle.1600
It is a dangerous memory resident parasitic virus. It hooks INT 16h, 21h and writes itself to the end of .COM files (except COMMAND.COM) that are executed. The virus runs a counter in the MBR of the hard drive and increases this counter on each installation into the memory and on each infection. When counter reaches 400h (1024) the virus corrupts the MBR code, and it will halt the system on next booting. When this counter reaches 256, the virus starts to change keys that are entered (INT 16h) and delays on any keystroke. The virus contains the only text string:
COMMAND.COM
Details
Drepo.2461
These are not dangerous memory resident encrypted parasitic viruses. While executing an infected EXE file the virus reads the root directory of C: drive by using INT 25h direct read call, searches there for the “COMMAND COM” string in the read buffer, replaces that string with “COMMAND LOM”, clears the file attribute field, and saves the result to the disk by using direct write INT 26h call. Then the virus opens the C:\COMMAND.LOM file (ex-COMMAND.COM), encrypts and writes itself to the end of the file to the COMMAND.COM stack area (the file length does not grow, see “Lehigh”), and then overwrites the file entry point (the code that is pointed by JMP instruction at the file beginning) with 2Eh bytes of a decryption routine. Then the virus restores the original contents of the root directory (also by using INT 26h call) and returns the control to the host EXE file. I see that such complex way to infect the file is to avoid memory resident anti-virus monitors.
While executing the infected COMMAND.COM the virus hooks INT 21h, stays memory resident and writes itself to the end of EXE files that are opened or closed. When the archivator ARJ.EXE or RAR.EXE is executed, the virus reserves an extra block of the memory to infect the files that are compressed or extracted from an archive.
The virus also hooks INT 9 (keyboard) and two month after infecting a system, depending on the keys that are pressed, it beeps by the PC speaker.
The virus contains the text strings:
ARJ.EXE RAR.EXE
C:\COMMAND COM
Pod na jedno DREPO!
Shareware version.
Do not forget to register!
Details
Dreamer.4808
These are not dangerous memory resident parasitic viruses. They hook INT 1Ch, 21h and write themselves to the end of COM files that are executed. Sometimes these viruses try to speak several words by the internal speaker. The viruses contain the text strings:
“Dreamer.4808″: Hitler Virus by Dreamer/DY
“Dreamer.8869″: [Dar Mandra] by Simpson #1
Details
Dream.2000
These are not dangerous memory resident parasitic polymorphic viruses. They hook INT 13h, 21h and write themselves to the end of .COM- and .EXE-files that are accessed with INT 21h function 12h (FindNext FCB). The viruses contain the internal string “SCCLF-VIMSVSWI”, and do not infect the files with the names from that string (two bytes per name): SC*.*, CL*.*, F-*.*, VI*.*, MS*.*, VS*.*, WI*.*. Depending on the internal counter the viruses return the error flag on INT 13h (Disk Services) calls. The viruses also contain the internal string:
[ Dream Man / Doctor Revenge ] 12-02-94 Italy
Details
Dre.756
It is not a dangerous encrypted nonmemory resident parasitic virus. It searches for .COM files, then writes itself to the end of the file. The virus contains text strings in Russian and English :
EXE
Wr. by Doctor Dre 1997(c).King V1.2
Details
DrDemon Family
DrDemon.1816 and 1888
These are very dangerous memory resident encrypted parasitic viruses. They trace INT 21h, hook INT 8 and 21h, and then they write themselves to the end of COM and EXE files that are accessed. The “DrDemon.1816″ virus has a bug, and may corrupt files while infecting them. When the file AIDS*.* is accessed, the viruses display:
MUTABOR
The viruses display the same message in about 30 minutes after installation into the system memory.
On the 13th of any month after the 10th infection, the viruses display the following messages:
It is very long story - struggle against virusesall
(c) 1994,95 by Dr. Demon , version 4.0
Make sure all your disks are not bootable now !
and overwrite the hard drive sectors with the same strings.
DrDemon.4634
This is a harmless memory-resident polymorphic multipartite virus. While executing an infected file, the virus infects the hard-drive MBR, hooks INT 21h and stays memory resident. While loading from an infected MBR, the virus cuts 10K of DOS memory (the word at address 0000:0413), hooks INT 1Ch, waits for the DOS-loading process, hooks INT 21h and releases INT 1Ch. When any of the DOS calls Execute or Allocate, Release, Free Memory is intercepted, the virus restores the size of DOS memory, and arranges its block of memory by fixing the MCB list.
By hooking INT 21h, the virus intercepts access to COM and EXE files, and writes itself to the file end. The virus does not infect the files with the names beginning with any of the following variants:
AIDS WEB VB ADINF SCAN CLEAN DRW
The virus also contains the text string:
MB Pro (c) 1994,95 by Dr.Demon
Details
DrDemon Family
DrDemon.1816 and 1888
These are very dangerous memory resident encrypted parasitic viruses. They trace INT 21h, hook INT 8 and 21h, and then they write themselves to the end of COM and EXE files that are accessed. The “DrDemon.1816″ virus has a bug, and may corrupt files while infecting them. When the file AIDS*.* is accessed, the viruses display:
MUTABOR
The viruses display the same message in about 30 minutes after installation into the system memory.
On the 13th of any month after the 10th infection, the viruses display the following messages:
It is very long story - struggle against virusesall
(c) 1994,95 by Dr. Demon , version 4.0
Make sure all your disks are not bootable now !
and overwrite the hard drive sectors with the same strings.
DrDemon.4634
This is a harmless memory-resident polymorphic multipartite virus. While executing an infected file, the virus infects the hard-drive MBR, hooks INT 21h and stays memory resident. While loading from an infected MBR, the virus cuts 10K of DOS memory (the word at address 0000:0413), hooks INT 1Ch, waits for the DOS-loading process, hooks INT 21h and releases INT 1Ch. When any of the DOS calls Execute or Allocate, Release, Free Memory is intercepted, the virus restores the size of DOS memory, and arranges its block of memory by fixing the MCB list.
By hooking INT 21h, the virus intercepts access to COM and EXE files, and writes itself to the file end. The virus does not infect the files with the names beginning with any of the following variants:
AIDS WEB VB ADINF SCAN CLEAN DRW
The virus also contains the text string:
MB Pro (c) 1994,95 by Dr.Demon
Details
Dragon1
It is a very dangerous memory resident stealth boot virus. It hooks INT 13h and writes itself to the MBR of the hard drive and to the boot sector of floppy disks. The stealth procedure is buggy, and the virus may corrupt the files while reading/writing from/to infected floppy.
While infecting 12th disk the virus manifests itself by a video effect - it changes video palette. Under debugger it halts the computer.
The virus contains the text strings:
Dragon 1
(C) Snake’s.
Death
Details
Dragon.414
It is a harmless memory resident parasitic virus. It copies itself into Interrupt Vectors Table, hooks INT 21h and writes itself to the end of COM files that are executed or accessed by the DOS call FindFirst ASCII. While infecting COMMAND.COM file the virus does not increases the file size. The virus contains the encrypted strings:
COMMAND.COM
Quick Dragon v.7
Details
Dracula.827
It’s a dangerous memory resident parasitic virus. On execution it copies itself into conventional memory at the address 9500:0000 without correction of MCB list. It hooks INT 21h and writes itself to the end of EXE-files that are executed or opened. Depending on the system date it displays the message “DRACULA” and halts the system.
Details
DR&ET.1710.a
This is a dangerous memory resident parasitic polymorphic virus. It hooks INT 21h, and writes itself to the end of COM- and EXE-files that are executed or opened. Under debugger and on the 13th, depending on the current time, the virus erases disk sectors and reboots a computer. It contains the internal text string: “(c) 23.5.3945 / DR & ETASCECLHVSPF-ACPRVINWI”.
Details
DPN.623
It is a dangerous memory resident parasitic virus. It hooks INT 1Ch, 21h and writes itself to the end of .COM-files that are executed or opened. Depending on the system timer it reboots the computer. It contains the internal text string:
DPN
Details
Downloader.Win32.Harnig
This Trojan is written in Assembler.
Installation
Harnig copies itself as an .exe file and a .dll file with the same random name in the Windows directory. The .exe version is registered in the system registry auto-run key as:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
The Trojan also creates the following file in the Windows directory:
WININIT.INI
Malicious effects
Harnig downloads Backdoor.Afcore.aa from http//system.hoha.ru/x.pl?10 and launches it. Backdoor.Afcore.aa functions identically to Backdoor.Afcore.q
Details
Dowcipas.2303
It’s a memory resident not dangerous parasitic virus. It hooks INT 08h, 15h and 21h. It infects COM- and EXE-files are executed. It traces INT 21h upon installation. Sometimes it changes the keyboard flags (Shift, Alt, Ctrl) and types one of the messages:
Incorrect DOS version.
KONIEC PRACY. WYLACZ KOMPUTER!!!
Twoj procesor przecieka
Jestem glodny! Wloz hamburgera (bez ketchupu!!) do stacji A:
Jestem spragniony! Wlej Coca-Cole do napedu B:
Jestem madrzejszy od ciebie 3.1415926535xOKO razy
UWAGA!!. Stacja C: wciaga tasme!!!
Nudzi mi sie-DRUKARKA.
Co ty robisz?? Pisac nie umiesz? -KLAWIATURA
DARK DOWCIPAS v.1.00 by Piotr Z. & Marcin I. (c)1992