Details
Shimmer Family

These are dangerous memory resident multipartite viruses. They infect the boot sectors of the floppy disks, and create BAT and EXE worms with the virus body inside. To install their TSR copies the viruses use HMA and video memory.
The method of infection of the BAT files is the same as used in “Winstart” virus. The “Shimmer” virus creates the WINSTART.BAT file in the C:\WINDOWS directory and writes itself into there. While executing an infected WINSTART.BAT the virus creates INSTALL.EXE file, and executes that file. INSTALL.EXE contains the virus installator, its code hooks INT 2Fh,40h and overwrites with the virus code the boot sectors of the floppy disks that are accessed.
On loading from infected floppy the virus hooks INT 1Ah, waits for DOS loading, hooks INT 21h, and creates the C:\WINDOWS\WINSTART.BAT worm during the first call to INT 21h. Then the virus disables its infection routine.
The viruses have the bugs and may halt the system. “Shimmer.b” outputs the string “ATM0L0S0=1O1″ to the COM port. The viruses contain the text strings:
“Shimmer.a”
:yt
@echo.PKX>install.exe
@copy/b install.exe+%0.bat>nul
@install.exe
c:\windows\winstart.bat
New Shimmer

“Shimmer.b”
:y~ATM0L0S0=1O1
@ECHO PKX>INSTALL.EXE
@COPY/B INSTALL.EXE+%0.BAT>NUL
@INSTALL.EXE
C:\WINDOWS\WINSTART.BAT

Related Posts

This entry was posted on Wednesday, January 30th, 2008 at 6:50 pm and is filed under Virus Threats.