Zombie.VPI.1521
Details
Zombie.VPI.15211
This is a memory resident parasitic virus. It writes itself to the end of EXE files that are executed, opened or on reading/modifying file attributes. It has two unusual algorithms: coding itself while infecting files and infecting Shadow RAM.
When an infected file is executed, the virus checks the Shadow RAM ports (it presents only on Pentium PC). If these ports are accessible, the virus looks for zero-bytes “cave” in the Shadow memory, opens it for writing, copies itself to there and closes Shadow for writing. If there is no enough free space, the virus either overwrites standard video font, or looks for some code (some driver?) and overwrites it, if font or such code are placed in Shadow memory. The virus then hooks INT 13h, waits for any EXE file execution and hooks INT 21h.
After installing into the Shadow memory it is closed for writing. When the virus’ INT 13h, 21h handlers take control, and the virus needs to modify its data, it temporary opens Shadow for writing.
While infecting files the virus encodes itself in quite curious way - it does not encrypts itself as usual self-encrypted viruses do, but transforms itself to the byte sequence of 00h or FFh. For each byte of virus code its eight bits are converted to eight bytes - 00h in case of zero bit, FFh in case of 1. As a result, the actual virus code is less than 2K, but while infecting the virus increases file length more than by 15K.
While reading disk sectors (INT 13h) the virus checks them for directory structure, search for references for several files and erases these references. These files are: ADINF, AIDS, AVP, WEB, DRWEB, *.CPP, *.C, S-ICE, TD, DEBUG, WEB70801, CA.AV?
The virus also contains the text:
Z0MBiE`1635 v1.00 (c) 1997 Z0MBiE
Tnx to S.S.R. & Lerg
ShadowRAM/Virtual Process Infector
Related Posts