Details
Crazy.1402

These are harmless memory-resident stealth viruses that infect COM-files as a program is terminated (the Exit and Keep DOS functions), files are being searched (FindFirst and FindNext) or a file is closed. The viruses decreases the memory area allocated for DOS (the word at the address 0000:0413). They hook 12 DOS functions and use stealth mechanism: recover infected files as they are accessed. Upon installation the viruses create in RAM two own copies: operational and backup ones. On every call to the 1Ch interrupt (Timer Tick) “Crazy” viruses write their backup copies at the address of its operational copies and in such a way gets rid of debuggers. The viruses hook INT 1Ch, 21h and contain the text:
“Crazy.1402″ - Crazy imp. v1.5
“Crazy.1445″ - Crazy imp. v2.0

Related Posts

This entry was posted on Monday, September 29th, 2008 at 1:15 am and is filed under Virus Threats.