Details
Stofi.998
It is a dangerous memory resident partly encrypted parasitic virus. The virus hooks INT 21h and writes itself to the end of COM files that are executed or opened. It may corrupt the READ.ME files - the virus overwrites them with the message:
*Fuck you St Stöfi - world’s biggest lamer !!!*
The virus also contains the text string:
comexeread.me
Details
Stink Family
These are dangerous nonmemory resident parasitic viruses. They search for .COM files of the current directory and write themselves to the beginning and to the end of the file:
+——-+ +——-+
¦ File ¦—+ ¦Virus ¦ - the first part of the virus
¦- - - -¦ ¦ +——-¦
¦ ¦ ¦ ¦ File ¦
¦ ¦ ¦ ¦ ¦
+——-+ ¦ ¦- - - -¦
+->¦ ¦
+——-¦
¦Virus ¦ - the second part of the virus
¦ ¦
+——-+
These viruses hooksINT 24h in wrong way and halt the system while infecting a file on a write-protected disk. These infectors contain the string “*.COM.COMMAND”.
The viruses check the system time, and if the value of seconds is equal to the value of minutes, the viruses with the probability of 1/4 display the messages:
“Stink.1252,1254,1283″: StinkFoot has arrived on your PC !
“Stink.1270,1283.b”: StinkFoot: ‘Eat this Paul Ducklin’
Details
Stinger.710
It is not a dangerous nonmemory resident encrypted parasitic virus. It searches for .COM files, then writes itself to the end of the file. At the header of infected files there is the text:
STINGER
Details
Stimp.248
It is not a dangerous nonmemory resident encrypted parasitic virus. It searches for .COM files and writes itself to the beginning of the file. On 21st of any month it displays the message:
STIMP-VIRUS made in Poland
Details
Steryd.399
It is not a dangerous nonmemory resident parasitic virus. It searches for COM files and writes itself to the beginnings of the file. On December, 24th it decrypts and displays the message:
Wesolych Swiat i Szczesliwego Nowego Roku zyczy STERYD.
Details
Sterculius Family
These are harmless memory resident parasitic viruses. They copy themselves into Interrupt Vectors Table and hook INT 21h. Then these viruses write themselves to the end the files that are executed or loaded as overlay. “Sterculius.280″ infects only COM files, other “Sterculius” viruses infect both COM and EXE files. These viruses contain the strings:
“Sterculius.266″:
“Sterculius.273″:
“Sterculius.240,280″: STERCULIUS
“Sterculius.428,440,456,458,474″: STERCULIUS ][
Details
Steppen.428
It is a harmless nonmemory resident parasitic virus. It searches for COM and EXE files in current and parent directories, then writes itself to the end of the file. The virus contains the text string:
[Steppenbrand]
Details
Steppan.736
It is not a dangerous memory resident parasitic virus. It hooks INT 1Ch,21h and writes itself to the end of .COM files that are executed or opened. The virus “disables” Left-Shift key. Depending on its counter it displays the message:
Your PC is infected with DEATH virus - greeting from Steppan
The virus also contains the text strings:
Death
COMSPEC
Details
Steatoda family
These are very dangerous memory resident parasitic viruses. They hook INT 21h and write themselves to the beginning of COM and to the end of EXE files that are executed or opened. After infecting a file the viruses erase random selected sectors on the hard drive.
Before installing memory resident the viruses look for C:\DAMAGE.MOR file. If that file is found, the viruses do not stay resident, but decrypt and display the message:
This file is infected by “Steatoda”, you seem to have the protection, soall
you will not be harmed by the virus.
Press any key…
The viruses also contain the text strings:
“Steatoda”
EXE COM
C:\DAMAGE.MOR
Details
StealthBomber
It is not a dangerous memory resident encrypted parasitic virus. It traces and hooks INT 21h - the virus overwrites the code of original INT 21h handler with 10 bytes of routine that passes the control to the virus body. On INT 21h calls the virus restores patched code, and then patches it again. To do that the virus also hooks INT 1, 1Ch, 20h.
The virus and writes itself to the beginning of .COM-files that are accessed. On 31st od August the virus displays the message:
! I AM THE STEALTH BOMBER !
+————————-+
¦ I BELONG TO THE NEW ¦
¦ GENERATION OF COMPUTER ¦
¦VIRUSES. LIKE THE STEALTH¦
¦ BOMBER, I GO UNDETECTED ¦
¦ BY ENEMY RADAR ¦
+————————-+
!!! DO NOT PANIC !!!
I AM JUST SHOWING OFF HOW
EASY I CAN EVADE YOUR ANTI
VIRUS SYSTEM - I DO NO HARM
Details
Stb
It’s a dangerous memory resident virus. It hooks INT 13h and infects floppy Boot and HD MBR sectors. It infects incorrectly some types of hard disks.
Details
StayCool.573
It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM files that are executed. The virus contains the text string:
Louise Broderick my princess Written at Barclays plc Softare Labs Stay Cool
Mickey Athwel
Details
Stasi.1728
It is a very dangerous nonmemory resident parasitic polymorphic virus. It searches for EXE files and writes itself to the end of the file. The virus contains the lists of the file names. The first list is:
(.ID ANTI-VIR.DAT C:\TBAV\VIRSCAN.DAT CHKLIST.CPS C:\CPAV\CHKLIST.CPS
C:\NAV_._NO C:\NOVIRCVR.CTS C:\NOVIPERF.DAT C:\TOOLKIT\FILES.LST
C:\FSIZES.QCV C:\UNTOUCH\UT.UT1 C:\UNTOUCH\UT.UT2 C:\VS.VS
and the virus deletes these files when they are executed. The virus does not infect the file if the file name contains the string from the second list:
F- FLU SCAN CLEAN TB TNT VIR
Sometimes this virus displays one of the messages:
Erich Mielke is still alive! Watch out for Stasi spys!
Ever heard of Markus Wolf? Stasi is watching you!
The virus writes to the Boot sectors the command that halts the computer while booting. The virus also contains the text string:
Stasi is watching you! Nice programming, eh? The Stasi virus is written by
the author of Vriest, 789 (aka Filehider) and Witcode. Black Axis
Details
Starship
This is a memory resident and not dangerous stealth polymorphic virus. It infects only newly created COM- and EXE-files on the A: and B: drives. The virus also infects MBR of the hard disk if an infected file is started. As a result of this policy the virus stays resident in memory and can be moved to other computers with the minimum of the infected objects. So it is more difficult to find the virus. There is one more reason to use such a policy: when only newly created files are infected there is no need to control the DOS fatal errors (INT 24h).
The virus infects files in a standard way using the polymorphic mechanism. To infect a disk the virus puts itself into the last sectors of it, replaces the active boot sector address in the Partition Table with its own starting address. During an access to MBR or to the last sectors the virus uses stealth mechanism.
The virus infects the memory during rebooting from an infected disk. It places some part of its TSR copy into the interrupt vectors table (0000:02C0) and into BIOS Data Area (0000:04B0); the main part of the code is placed into the video RAM (BB00:0050). When the operating system is loaded the virus looks for other programs. If some program has been swapped from the memory (Exit - INT 20h, INT 21h and ah=0 or 4Ch) the virus moves from the video RAM to the place of the program. If a program remains resident (Keep - INT 27h, INT 21 and ah= 31h) the virus “attaches” its code to the program body. The virus recovers its main part in the video RAM if this part has been corrupted, and does this from the disk.
Depending on the internal counters the virus “beeps” using Morse code and shows “stars” on the screen. It contains the string “>STARSHIP_1<”. The virus hooks INT 13h, 20h, 21h, 27h.
Details
Starcon.1057
It is a dangerous memory resident partly encrypted parasitic virus. It hooks INT 21h and writes itself to the end of .COM files that are executed, opened or accessed by FindFirst/Next DOS call. The virus deletes STARCON.* files and contains the text string:
starcon