Details
DrDemon Family
DrDemon.1816 and 1888
These are very dangerous memory resident encrypted parasitic viruses. They trace INT 21h, hook INT 8 and 21h, and then they write themselves to the end of COM and EXE files that are accessed. The “DrDemon.1816″ virus has a bug, and may corrupt files while infecting them. When the file AIDS*.* is accessed, the viruses display:
MUTABOR
The viruses display the same message in about 30 minutes after installation into the system memory.
On the 13th of any month after the 10th infection, the viruses display the following messages:
It is very long story - struggle against virusesall
(c) 1994,95 by Dr. Demon , version 4.0
Make sure all your disks are not bootable now !
and overwrite the hard drive sectors with the same strings.
DrDemon.4634
This is a harmless memory-resident polymorphic multipartite virus. While executing an infected file, the virus infects the hard-drive MBR, hooks INT 21h and stays memory resident. While loading from an infected MBR, the virus cuts 10K of DOS memory (the word at address 0000:0413), hooks INT 1Ch, waits for the DOS-loading process, hooks INT 21h and releases INT 1Ch. When any of the DOS calls Execute or Allocate, Release, Free Memory is intercepted, the virus restores the size of DOS memory, and arranges its block of memory by fixing the MCB list.
By hooking INT 21h, the virus intercepts access to COM and EXE files, and writes itself to the file end. The virus does not infect the files with the names beginning with any of the following variants:
AIDS WEB VB ADINF SCAN CLEAN DRW
The virus also contains the text string:
MB Pro (c) 1994,95 by Dr.Demon
Related Posts
DrDemon FamilVM FamilMag FamilTic FamilTokyo Famil
This entry was posted
on Friday, September 29th, 2006 at 4:00 am and is filed under Virus Threats.
Details
DrDemon Family
DrDemon.1816 and 1888
These are very dangerous memory resident encrypted parasitic viruses. They trace INT 21h, hook INT 8 and 21h, and then they write themselves to the end of COM and EXE files that are accessed. The “DrDemon.1816″ virus has a bug, and may corrupt files while infecting them. When the file AIDS*.* is accessed, the viruses display:
MUTABOR
The viruses display the same message in about 30 minutes after installation into the system memory.
On the 13th of any month after the 10th infection, the viruses display the following messages:
It is very long story - struggle against virusesall
(c) 1994,95 by Dr. Demon , version 4.0
Make sure all your disks are not bootable now !
and overwrite the hard drive sectors with the same strings.
DrDemon.4634
This is a harmless memory-resident polymorphic multipartite virus. While executing an infected file, the virus infects the hard-drive MBR, hooks INT 21h and stays memory resident. While loading from an infected MBR, the virus cuts 10K of DOS memory (the word at address 0000:0413), hooks INT 1Ch, waits for the DOS-loading process, hooks INT 21h and releases INT 1Ch. When any of the DOS calls Execute or Allocate, Release, Free Memory is intercepted, the virus restores the size of DOS memory, and arranges its block of memory by fixing the MCB list.
By hooking INT 21h, the virus intercepts access to COM and EXE files, and writes itself to the file end. The virus does not infect the files with the names beginning with any of the following variants:
AIDS WEB VB ADINF SCAN CLEAN DRW
The virus also contains the text string:
MB Pro (c) 1994,95 by Dr.Demon
Related Posts
DrDemon FamilVM FamilMag FamilTic FamilTokyo Famil
This entry was posted
on Friday, September 29th, 2006 at 2:00 am and is filed under Virus Threats.