Details
GmSpirit.2655

It is not a dangerous memory resident polymorphic parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. The virus does not manifest itself in any way. The virus contains the text strings:
[GM.Spirit]
[v1.10]
[Author: Green Monster, Russia]
We live in XMSall

The virus uses many complex programming tricks:
- it stores its TSR copy in the XMS memory and leaves in DOS memory just a small routine that hooks file execution, then allocates a block of DOS memory, copies to there the main virus body from the XMS, and executes it;
- when other programs are executed, the virus is able to move this routine in DOS memory;
- to intercept file execution the virus scans DOS kernel and patches DOS handler code with JMP_Virus instruction;
e.t.c.

Related Posts

This entry was posted on Tuesday, October 31st, 2006 at 4:00 am and is filed under Virus Threats.