Pixel.25
Friday, November 30th, 2007Details
Pixel.257
These are dangerous non-memory resident parasitic viruses. Upon execution, the viruses search for .COM files of the current directory, then write themsleves to the beginning of the file. Some of these viruses may infect the files twice, or corrupt files of large length. The viruses contain the text string:
*.COM
The majority of these viruses contain the text string at the beginning of the file:
IV
Some versions of the viruses show themselves too soon: from the fifth “generation” of the viruses, as an infected program is started, with a 50% probably, the following message appears on the screen:
Program sick error: Call doctor or buy PIXEL for cure description
Some versions of the viruses display the texts:
“Pixel.257,275″: Fucking hell:You wet pussy
“Pixel.283″: What a stupid you are !!!!!!!!
“Pixel.296″: En tu PC hay un virus RV1, y esta es su quinta generacion
“Pixel.299.b”: Software Failure. Task Held. Guru Meditation
#456789:#34567?????
“Pixel.837″: I love you so much!!! — Francis
“Pixel.847.b”: Buy AMSTRAD it is THE CHEAPEST COMPUTER thatyou can buy
THE END IS NEAR!! THE SIGNS OF THE BEAST ARE EVERYWHERE!!
Hello, John Mcafee,please uprade me.Bests regards,Jean Lu
“Pixel.847.c”: En tu PC hay un virus RV1, y ésta es su quinta generación
“Pixel.877″: Sector not found error fucking defoult drive! Please
buy me a new disk drive!
“Pixel.899″: COMMAND.COM Fucking Hell: What a smelly ass hole!!Do you
want to fuck it!!!
“Pixel.Ill”: You are ill.
“Pixel.936″ (this message is displayed on April, 1st):
Fucking Hell: What a smelly ass hole!!Do you want to fuck it!!! HaHaHaall
What a Good Friday!!
Some of the versions display a political slogan in Bulgarian.
Other virus versions contain texts that are not displayed:
“Pixel.761″: LiquidCode
“Pixel.Rosen.131″: ÉoR*.COM
“Pixel.Pixie.812″: The Pixie Virus v1.0 - Written by NegativX -
Copyright (c) 1991, -SiTT-
“Pixel.1268 and 1271″ display the message “ENTER THE PASSWORD:” and wait for input “Ken Sent Me”. If the input is not correct, the viruses display “YOU HAVE ENTERED THE WRONG PASSWORD!!” and return to DOS. They also contain the text: “PreComFileRunSyndrome 1993″.
Pixel.Cheef
On the 3rd of every month, they erase the FAT and then congratulate the user:
Happy Birthday,Cheef!
These infectors contain the strings:
ShMoscow
Pixel.Hydra
They search and write themselves to the beginning of one .COM file of the current directory when an infected file is started. If one is not uninfected and the .COM file is present, the virus can, depending on its version:
delete COMMAND.COM or all .EXE files of current directory
write into .EXE files a program that decrypts and displays “Who is John Galt?”
display the messages:
HYDRA Copyright (c) 1991 by C.A.V.E. HYDRA Watch for the many heads. The first eight are easy to find and kill. Their replacements will be more sophisticated. (c) 1991 - C. A. V. E.
The viruses also contain texts like:
HyDra-1 Beta - Not For Release.
Coalition of American Virus Engineers -=-=- Dedicated to supporting the
anti-virus industry without recognition or reward. -=-=-
Pixel.Ill
Upon being executed, the virus hooks INT 1Ch and returns control to the host program without infecting the files. Upon being executed the next time, the virus obtains the INT 1Ch address, and checks the INT 1Ch handler’s code for ID-byte that is present in the virus’ INT 1Ch handler. If this ID-byte is found, the virus searches for .COM files (except COMMAND.COM), and infects them. So, the virus infects files only being executed two or more times.
The virus runs itself with a video effect: it scrolls the screen up and down.
Pixel.Self
The first 8 bytes of the virus consist of four pairs selected randomly from PUSH CX - POP CX, PUSH DX - POP DX, PUSH DS - POP DS, PUSH ES - POP ES. Periodically, the viruses display random data.
“Pixel.Self.550″, depending on the time, might delete .EXE files. It also removes the “read-only” attribute and does not restore it.