Details
Stryke.253
It is a harmless memory resident parasitic virus. It copies itself to the Interrupt Vectors Table, hooks INT 21h and writes itself to the end of COM files that are executed. The virus does not manifest itself in any way, it contains the text string:
STRYKE
Details
Striker.461
This is a harmless nonmemory resident parasitic virus. It scans the subdirectory tree, and writes itself to the end of the .COM files. At the beginning and at the end of infected file there is the string:
Striker #1
Details
Strike
It is a dangerous memory resident boot virus. It hooks INT 13h and writes itself to boot sectors of the floppy disks and to the MBR of the hard drive. While infecting a floppy disk the virus does not save the original boot sector. While loading from such disk the virus (not the system!) displays the message:
Non-System disk or disk error
Replace and strike any key when ready
The virus corrupts the data that is read from the disk, if that data contains an EXE header that is packed by LzExe.
Details
Strategy.486
It is a harmless nonmemory resident parasitic virus. It infects the system drivers (SYS files) only. The virus receives the control only when DOS is loading the system drivers that are listed in the CONFIG.SYS file, and only if an infected file is in the list of the system drivers. The virus gets the control, opens the CONFIG.SYS file, searches for “DEVICE=” string there (any-cased), and infects the file that is pointed by this string. Being executed the virus infects all drivers that are listed in the CONFIG.SYS.
While infecting a file the virus checks the file internal format and does not infect EXE drivers. Then the virus stores and modifies the address of Strategy routine and writes itself to the end of the file.
The virus does not manifest itself in any way. It contains the string
\CONFIG.SYS
and the name of the host file.
Details
Stranger.734
It is a dangerous memory resident parasitic encrypted virus. It traces and hooks INT 21h, then it writes itself to the middle of COM files that have the block of constant data inside. The virus stores this constant byte and overwrites this block by the virus code, as a result the file length does not grow. While executing the virus restores this block and passes the control to the host program. On the file opening the virus checks its name and sometimes overwrites *.DB* files. The virus also contains the text:
*Stranger*
Details
Strange
The “Strange” virus is a memory resident floppy boot sector and hard drive master boot record infector. It occupies four sectors of disk (the three first sectors - the virus body, the last sector - the original floppy boot or hard drive MBR sector). The virus writes itself into the hard drive sectors with the numbers from 17th till 20th of the first disk track, on floppies it saves itself into the last four disk sectors.
On loading from infected sectors the virus works as a standard boot infector: it copies itself into the high addresses of system memory, decreases the word at address 0000:0413. But then it hooks INT 08h instead of standard “boot-virus’ interrupt” INT 13h and waits for the INT 2Ah putting (it waits for the value of double word at address 0000:00A8h is not equal to zero). It comes on while DOS installation. Then the virus restores the original address of INT 08h handler, hooks INT 21h and checks the LOAD AND EXECUTE command (AH=4Bh).
On loading COMMAND.COM files (it checks *ND.??? file name) the STRANGE virus increases the length of the last memory block, moves itself body into the area that ‘added’ to that memory block, restores the original INT 21h address and hooks INT 09h and INT 13h. In majority of cases the block of DOS memory which increased contains the system drivers. It happens when the virus copies itself on loading the first copy of COMMAND.COM. In several other cases the virus skips the first copy loading and moves itself when COMMAND.COM is loaded again (under one of DOS shell utilities for example).
The memory area with high addresses which was occupied by virus is released: the word at address 0000:0413h is decreased on three. If it’s impossible to move the virus body into the new place the virus manifests itself - it displays the message
Hmmall Strange drivers you have, very strange… 
On calling the INT 13h the virus checks the trace procedure. For detection the tracing the virus disables the hardware interrupts by CLI instruction, pushes into the stack register AX, popes it back and compares the contents of the stack with the value of AX register. If these values are not equal, the virus returns “disk write-protect” error.
The virus hooks INT 09h (keyboard) also and duplicate the pressing on random selected key. In addition on writing the disk sectors through INT 13h if the first two bytes of sector for save are ‘MZ’ (EXE-file first sector) the virus changes them to ‘ZM’ bytes.
Besides the INT 09h and INT 13h which are used as standard virus’ interrupts (the disk infection and effects) this virus hooks one of two hardware interrupts - either INT 0Dh or INT 76h. These interrupts correspond to hardware interrupt requests (IRQ) of computer. The interrupt INT 0Dh corresponds to IRQ5 on PC/XT fixed disk controller, INT 76h corresponds to IRQ14 on PC/AT fixed disk. On accessing to hard drive the computer’ hardware generates the IRQ signal (IRQ5 on PC/XT class computers or IRQ14 on PC/AT). Then the main processor calls the interrupt routine as a result of hardware interrupt request.
The virus must intercept the interrupt with true number (INT 0Dh on XT or INT 76h on AT). For that the virus must to find out the type of main processor of the computer where the virus works now. The virus determines the type of processor by using five assembler instructions:
MOV AX,2
MOV CL,41h
SHR AX,CL ; shift right
TEST AX,1 ; is the AX equal to 1 ?
JZ xt_class_computer
If the value of AX register is equal to 1 then it’s AT-class computer and the virus hooks INT 76h, if not - XT-class and the virus intercepts INT 0Dh. It’s interesting - is that method of processor type detection documented?
By using interrupts INT 0Dh and INT 76h the STRANGE virus organizes the new type of stealth mechanism on hard drive. The virus constantly retains in operating memory the original (not infected) MBR sector and on XT computers on reading infected MBR sector this virus substitutes the not infected one. On AT machines it forces the disk controller to read the sector which contains not infected sector.
On PC/XT computers on calling INT 0Dh the virus reads from port 6 the address of the disk buffer, then it checks the sector for its own body presence and if the sector is infected the virus copies the code of original MBR into the disk buffer.
On PC/AT class computers on INT 76h call STRANGE reads the numbers of cylinder, sector and head from the ports 1F3h, 1F4h, 1F5h and 1F6h. If these numbers are conformed to MBR sector, the virus write into these ports the address of the sector that contains the original MBR.
If you’ll try to trace the INT 13h (by the way - the STRANGE virus blocks the tracing - see above) on MBR sector reading then the trace routine goes through the code to ROM BIOS, the registers’ values are not changed, but the data buffer contains the original MBR but not the virus. You can set the INT 13h handler straight to original ROM BIOS address, but it makes no difference - this virus stays invisible!
It’s not difficult to remove virus from infected disk if the system memory is clear. The original MBR is saved into the hard disk sector at address 0/0/11h (cylinder/head/sector), and the floppy-disks can be cleaned by DOS command SYS A: or SYS B: or by writing the standard not infected boot sector into the first sector of diskette.
But if the TSR part of the virus presents it’s needed to disinfect the system memory before the sector restoring. It’s made either by computer re-booting from clear system floppy or by disinfection of system memory.
It’s better to use the INT 13h tracing to find out the address of system memory where the virus placed, because the virus can copy itself not only into the drivers area but into the end of one of memory blocks also. We seen once that this virus places itself into the ‘tail’ of NC.EXE (Norton Commander shell utility). Then it needs to disinfect the INT 0Dh, INT 13h and INT 76h - three interrupt handlers! And only now we can be sure that “Strange” stays not-stealth.
Details
Strafer
It is a very dangerous memory resident boot virus. It hooks INT 13h and writes itself to boot sectors of the floppy disks and active boot sector of the hard drive (C: disk, as a rule). 30 days after infecting the system the virus erases the hard drive sectors. The virus contains the text string:
Boot Strafer
Details
Storyteller
It is not a dangerous memory resident parasitic encrypted virus. It hooks INT 8, 21h and writes itself to the end of .EXE files that are executed. Depending on its internal counters it displays the text:
Sitting on a grassy,beneath one of
the window of the church,was a little
girl.With her head bent back she was
gazing up at the sky and singing,while
one of her little hands was pointing
to the a tiny cloud that hovered like
a golden feather above her head.So co-
mpletely absorbed was she in watching
the cloud to which her string song or
incantation seemed addressed,that she
did not observe me when I rose and went
towards her.As I slowly approached the
child,I could see by her forehead,which
in the sunshine seemed like a globe of
pearl,and especially by her complexion
that she was uncommonly lovely.Her eyes
–which at one moment seemed blue_gray,
at another violet,were shaded by long
black lashes,curving backword in a most
peculiar way,and these matched in hue
her eyebrows, and the trees that were
tossed about her tender throat and were
quivering in the sunlight.Gradully the
other features,especially the sensitive
full-lipped mouth,grew upon me as I st-
ood silently gazing. Here seemed to me
a more perfect beauty than had ever co-
me to me in my loveliest dreams of bea-
uty.Yet it was not her beauty so much
as the look she gave me that facinsted
me ,melted meall…..
—————————————-
By : Theodore Watts-Dunton
—————————————-
Sir . Press any key
This virus also contains the text:
STORYTELLER
Details
Storm.1218
This is a benign memory resident parasitic virus. It hooks int 21h and writes itself to the end of COM files that are executed. On March, 3rd it displays the messages:
Wenn Du diesen Text liest ist es zu spLtall. Dein Computer ist infiziert!!!
Then it hooks INT 8 (timer) and drops the letters on the screen.
Details
Storm.1172
This is a benign memory resident parasitic virus. It hooks int 21h and writes itself to the end of COM files that are executed. On March, 3rd it displays the messages:
OK!! NOW KEEP CALM AND LIE DOWN ON THE FLOOR — THIS IS A VIRUS!!!!
Then it hooks INT 8 (timer) and drops the letters on the screen.
Details
Storm.1163
This is a benign memory resident parasitic virus. It hooks int 21h and writes itself to the end of COM files that are executed. On March, 3rd it displays the messages:
OK EVERYBODY!! NOW KEEP CALM AND LIE DOWN ON THE FLOOR — THIS IS A VIRUS!!!!
Then it hooks INT 8 (timer) and drops the letters on the screen.
Details
Storm.1153
This is a benign memory resident parasitic virus. It hooks int 21h and writes itself to the end of COM files that are executed. On March, 3rd it displays the messages:
OK!! NOW KEEP CALM AND LIE DOWN ON THE FLOOR — THIS IS A VIRUS!!!!
Then it hooks INT 8 (timer) and drops the letters on the screen.
Details
Stonsky.1468
It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of .COM and .EXE files that are executed or renamed. The virus contains the ID string:
§t_ñ§k¥
Details
StoneHeart.1490
It is a very dangerous memory resident polymorphic parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed, opened, or accessed by Get/Set File Attribute DOS call. The virus does not infect anti-viruses AIDSTEST, AVP, SCAN, WEB,all according to the string (three letters per name): “AIDAVPPROSCAEXTWEB”. While infecting a file the virus also encrypts a block of file code/data, before return control to the host program the virus decrypts this block.
While installing memory resident the virus deletes files in root directories on all disks, a file is to be deleted only if seventh letter of its name is the same as disk letter - C:??????C?.*, D:??????D?.*, e.t.c.
The virus contains the text strings:
:\*.*
StoneHeart II
EMME Small 1.1
Details
Stoned.a
“Stoned” family. At midnight, this virus displays the following message:
IT’S MID NIGH
Stoned.Military
In November, this virus tries to format hard drive sectors.
Stoned.Million
This virus does not save the original floppy Boot sector and types “Non-System disk” while booting from an infected floppy. It overwrites the OEM message of the floppy Boot sector with the string “1000000″.
Stoned.Near.a,b
These are stealth viruses. With the probability of 1/16 they will erase the MBR and displays the text:
Near Dark
Stoned.Nichols
Sometimes this virus displays:
[Nichols] by Apache
Stoned.Nov7
In October, this virus types a face symbol (01h ASCII) while booting, and on November 7, it erases the MBR.
Stoned.PC-AT
This is an encrypted virus containing the non-encrypted text string:
PC AT
= “heart” symbol
Stoned.Rostov
While booting from an infected floppy disk, this virus has the probability of 1/32 of eraseing eight sectors on the hard disk.
Stoned.Satria
Stoned family. It displays a picture.
Stoned.Scale
“Stoned” family. It saves the Boot sector of floppies and the MBR hard drive at the address 0/0/9 (track/cylinder/sector). Sometimes it plays a tune (scale).
Stoned.Scrlock
These viruses disable writing to the hard drive if the ScrollLock key is pressed.
Stoned.Scroll
It scrolls the screen if NumLock is pressed and ScrollLock is released.
Stoned.Sex.a,b
These viruses infect disks while accessing them (INT 13h, AH=2,3). They save the original sectors (boot and MBR sectors) at the addressed 1/0/3 (head/track/sector) for a floppy disk and 0/0/8 (or 0/0/7 according to its version) for the hard disk. While loading from an infected floppy disk, the viruses, with the probability of 1/8, display the messages:
“Stoned.Sex.a”: EXPORT OF SEX REVOLUTION ver. 1.1
“Stoned.Sex.b”: EXPORT OF SEX REVOLUTION ver. 2.0
Stoned.Spook
While infecting the hard drive, this virus writes 8 sectors to 1–9 sectors of the hard drive, and as a result, it can erase the system information. It contains a texts:
Spook 1.0
LIM
Stoned.Swedish
This virus displays the message “The Swedish Disaster”.
Stoned.Torm
While booting from an infected disk, this virus, with the probability of 1/8, displays:
Repent for ye shall be tormentedall
Tormentor B - RABID Int’nl Dev. Corp. ‘91
Stoned.TurboManiac
On October 19, it displays:
The Turbo Maniac was here..
Stoned.WXYC
It infects boot sectors of the floppy disks and first boot sector (not MBR) of the hard drive. It contains the strings:
JAM WXYC
WXYC rules this roost!
Sometimes it displays the latter string.
Stoned.YMP
On the 1st of every month, it displays the message “HAVE A NICE DAY (c)YMP”.
Stoned.Zappa
On December 4, it erases the disk sectors and displays:
Dedicated to ZAPPA…
Stoned.Zapped
This virus erases the disk sectors and displays the message:
ZAPPED YOU!