Details
Leningrad.1944
These are not dangerous memory resident parasitic viruses. “Leningrad.1499,2000.b” are encrypted ones. They hook INT 1Ch, 21h and write themselves to the end of COM files that are executed. Sometimes they play a tune. “Leningrad.2000″ contains the text strings in Russian and the string:
Leningrad Leningrad Leningrad Leningrad Leningrad Leningrad Leningrad
Leningrad Leningrad Leningrad Leningrad Leningrad Leningrad Leningrad
Details
Lenin.943
It is not a dangerous nonmemory resident parasitic virus. It searches for EXE files and writes itself to the end of the file. While infecting it does not alter the EXE entry registers, but inserts CALL FAR instruction into file entry point and alters EXE relocation table. Depending on its internal counters it displays the messages on Russian. It also contains the strings:
*.EXE
PATH=
Details
Lena.1000
It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed or opened. On February 20th the virus decrypts and displays a message in Russian.
Details
Lemming.2029
These are not dangerous memory resident parasitic encrypted stealth viruses. They trace and hook INT 21h and write themselves to the end of COM and EXE files that are executed or closed. When an infected file is opened, these viruses disinfect it. These viruses check the file name and do not infect several anti-virus programs according to the string:
TBAVTBSCANNAVVSAFEFPROT
They search for ThunderByte anti-virus in memory and hack it. While executing some anti-virus programs these viruses hook INT 1Ch and check the flow of these programs.
They also contain the text strings:
TBDRV
You Will Never Trust Anti-Virus Software Again!!
COMcomEXEexe
Packed file is corrupt
and:
“Lemming.2144″: ThunderByte-1994-Australia. ver 1.0
[HiTMaN]
“Lemming.2151,2160″:
The Rise and Fall of ThunderByte-1994-Australia.
[LEMMING] ver .99ß
“Lemming.2247″ contains the strings:
Choise virus ver 1.0 !!!!!!!!!!!!!!!!!!!!!!!!!!!
(c) Copyright 1996 by Gurre in Moscowall
DRWEBAVPAIDSTESTVSAFEFPROT
COMcomEXEexe
Details
Lemena.3544
It is not a dangerous memory resident parasitic polymorphic virus. It copies itself to the video memory at address BC00:0000, hooks INT 22h (Terminate call), returns control to host program, waits for termination and hooks INT 21h. To hook INT 21h the virus patches the DOS kernel. The virus then writes itself to the end of COM and EXE files that are executed, opened or accessed by Get/Set File Attributes DOS call.
To hide itself in the system memory the virus uses a quite complex way. When any program is executed, the virus allocates a block of XMS memory, moves its code to there, then copies its INT 22h handler to DOS kernel (the virus looks for a cave in there). The virus then releases INT 21h, hooks INT 22h, erases its TSR copy in the video memory and releases control. As a result, when any program (including anti-viruses) are active, there are no virus code in the DOS memory. The main part of virus code (encrypted) is placed in the XMS memory, and INT 22h handler is “waiting” for the Terminate call to restore “status quo” (move virus code from XMS to the video memory and to re-hook INT 21h).
The virus also uses anti-debugging tricks as well as on-the-fly encryption: the virus decrypts its subroutines before calling them, and encrypts after return from subroutine.
The virus does not infect anti-virus programs -V.EXE, ADINF, AIDSTEST, AVP, CPAV, and so on according to the string (two letters per name):
-VADAIAVCPDRF-FIGUIMIVMSNAPCSCSPSSSVTBTOV-VAVSWE
The virus deletes the anti-virus databases: ANTI-VIR.DAT, AVP.CRC, CHKLIST.CPS, CHKLIST.MS, CHKLIST.TAV, CRC.SVS, FILES.VVL FINGERP.VVF IM.PRM IVB.INI, IVB.NTZ, MSAV.CHK, SMARTCHK.CPS, \AV.CRC, \BOOT.CPS, \BOOT.MS, \BOOT.NTZ, \BOOT.TAV, \IV.INI, \PART.NTZ
According to its random counter the virus displays the texts:
LEMENA’97
BOKEPH’97
The virus also contains the text strings:
TBDRVXXX
[LEMENA'97] by Bokeph from Batavia, Indonesia
[MENA]
Details
Lehigh
This is a very dangerous memory resident parasitic virus. It hooks INT 21h and writes itself into the middle of COMMAND.COM when it is executed, or accessed with DOS function FindFirst (AH=4Eh).
The virus is located in COMMAND.COM stack area and does not increase the file length. The virus changes the 2nd and 3d bytes of the file (JMP Loc_Virus).
The body of the virus contains a counter that increments by 1 on every successful infection of next COMMAND.COM file. The counter is saved on disk only when infected COMMAND.COM has been run from the hard disk. Otherwise the counter state is zeroed on every reboot of DOS. When the counter reaches 4, the virus erases the first 32 logical sectors of the disk which it has been run from.
Details
Lego.1000
It is a dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. After 400 infections at the same seance it corrupts CMOS checksum fields, and displays the message:
Szétszedtem a géped! Rakd össze, LEGO-zz!
LEGO virus
MESTER (C) 1995
Details
Legion.3274
This is a benign non-memory resident encrypted parasitic virus. It searches for .COM files, then writes itself to the end of the file. The virus does not infect files with names that begin with two-letter variants from the string: “COSODETSANIB-D-UWIPU” (COMMAND.COM, SO*.*, all).
If the date and month correspond in number(January 1, February 2, …), the virus displays the following message:
ATTENTION !!! PERM RESEARCH CENTER
OF AUTO-TRANSFERRING SOFTWARE PRESENT:
+++ ++—++++—+++-+++-+++–++++-+ ++
||| |+– || –++ ||| || |||| ++||
+++-++++—++++—+++-+++-+++–++++ +++ Version 5.00
(C) TEAM O’SHEEN DA 12-Feb-1997
PRESS TO EXECUTE PROGRAM
Details
Leech.1024
These are memory resident encrypted viruses. They hook INT 21h and write themselves into COM files that are executed or closed. If the first instruction of the file is a JMP (E9h or EBh), then the virus inserts itself into the file middle at the address to where JMP instruction points, else the virus writes itself to the beginning of the file. While infecting the virus uses undocumented System File Table.
Depending on the current time “Leech.1024″, “Glist.1014″ and “Tazta.1008″ display the messages and erase the sectors of the root directory of the current drive:
“Leech.1024″: The leech liveall
“Leech.Tazta.1008″: Super, Super! … March 1993, Tazta.
“Leech.Glist.1014″: Mr.Tapeworm May 1996 The GLIST
“Leech.Warrier.768″ is a harmless virus. It contains the text:
The WARRIER!
Details
Leda.820
This is a relatively harmless, memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of COM files that are accessed. From 6 until 11 in November, depending on the system time, it displays the following message and halts the PC:
Masz wirusa LEDA (BDv3.0) , (c) B.D. 27.V.1994
P.S. Dzieki dla autora wirusa FLOOR 1153
Details
Leathal.722.a
It is not a dangerous nonmemory resident parasitic virus. It searches for COM files and writes itself to the end of the file. It contains/displays the text string:
Leathal$virus$
Leathal Virus Striked your fuking computerall
Do not worry, I am not destructive…
Details
Leandro
It’s a not dangerous memory resident boot virus. It hooks INT 13h and writes itself into MBR of hard drive and boot sectors of floppy and hard disks. On October, 21th it displays the message:
Leandro and Kelly ! GV-MG-Brazil
You have this virus since
and then displays the date when this computer was infected.
Details
Lcv.864
It is a harmless nonmemory resident parasitic virus. It searches for .COM files of a current directory and writes itself to the beginning of the file. It contains the text “*.COM”.
Details
Lct.762
This is a benign non memory-resident parasitic virus. Upon being executed, it searches for all COM files of the current directory, and writes itself to the end of the file.
LiquidCode *.COM
Details
Lct.602
This is a benign non memory-resident parasitic virus. Upon being executed, it searches for all COM files of the current directory, and writes itself to the end of the file. On December 25th, upon being executed, the virus immediately returns to DOS. The virus contains the text string:
*.COM LiquidCode 92