Uruguay Famil
Details
Uruguay Family
These are memory resident not dangerous polymorphic viruses. They hook INT 21h and infect COM- and EXE-files (except COMMAND.COM) upon their opening or execution. These viruses transform EXE-files to COM-format (see “VACSINA” family). These infectors infect the files at the file end or into the file middle. The length of infected files grow up to value divided by 13h (”Uruguay.2379″) or 17h (other “Uruguay” viruses), “Uruguay.4268″ increases the file length by 4269 bytes.
The viruses trace INT 13h, 21h during installation. Some of the “Uruguay” viruses insert 5 bytes of JMP FAR VIRUS instruction into the DOS INT 21h handle and hook INT 2Ah.
“Uruguay.4268″ also hooks INT 9 (keyboard) and after the Alt-Ctrl-Del combination (warm reboot) it manipulates with interrupt vectors and memory allocation so that it will stay memory resident after warm reboot: it traces and sets to BIOS addresses the hardware interrupts 8, 9, 10h, 13h, 15h, 16h, 1Ah and 1Ch, disables HIMEM.SYS driver, decreases DOS RAM size (the word at the address 0000:0413), copies the own body into this cut area, hooks INT 8 and INT 9 and then generates INT 19h call (bootstrap loader). The loader reads and executes DOS files and the virus checks this (as it hooks INT 
and sets INT 21h and INT 2Ah. So this virus will stay resident after warm reboot.
Manifestations: “Uruguay” viruses beep and display the messages:
“Uruguay.2313″:
I love ROXETTE !!!
Virus ‘Uruguay-#2′
Programmed in Montevideo (URUGUAY) by F3161. 04/92.
This is a research virus - DO NOT DISTRIBUTE.
“Uruguay.2379″:
The BEATLEMANIA is alive!
THE BEATLES, for ever, the best.
John, Paul, George and Ringo, ladies and gentlemen, here they are!
PLEASE, PLEASE ME. WITH THE BEATLES. A HARD DAY’S NIGHT.
BEATLES FOR SALE. HELP. RUBBER SOUL. REVOLVER.
SGT.PEEPERS LONELY HEARTS CLUB BAND. THE BEATLES. YELLOW SUBMARINE.
ABBEY ROAD. LET IT BE. MAGICAL MISTERY TOUR.
Other LP and singles availableall
Virus ‘Uruguay-#1′
Programmed in Montevideo (URUGUAY) by F3161. 03/92.
This is a research virus - DO NOT DISTRIBUTE.
“Uruguay.2456″:
‘Uruguay-#3′ Virus
Programmed in Montevideo (URUGUAY) by F3161. 06/92.
This is a research virus - DO NOT DISTRIBUTE.
“Uruguay.2623″:
‘Uruguay-#4′ Virus
Programmed in Montevideo (URUGUAY) by F3161. 07/92.
This is a research virus - DO NOT DISTRIBUTE.
“Uruguay.4268″:
‘Uruguay-#5′ Virus
Programmed in Montevideo (URUGUAY) by F3161. 08/92.
This is a research virus - DO NOT DISTRIBUTE.
“Uruguay.4879″:
‘Uruguay-#6′ Virus
Programmed in Montevideo (URUGUAY) by F3161. 11/92.
This is a research virus - DO NOT DISTRIBUTE.
“Uruguay.4906″:
Uruguay-#9 Virus
Programmed in Montevideo (URUGUAY). 12/93.
This is a research virus - DO NOT DISTRIBUTE.
“Uruguay.6344″:
Uruguay-#7 installed (seg=9CF8)
Uruguay-#7 Virus
Programmed in Montevideo (URUGUAY). 02/93.
This is a research virus - DO NOT DISTRIBUTE.
“Uruguay.6396″:
Uruguay-#10 Virus
Programmed in Montevideo (URUGUAY). 05/94.
This is a research virus - DO NOT DISTRIBUTE.
These viruses also contain the text “COMMAND.COM.EXE”.
Related Posts