| Description:
|
Details
Kiev.2048
This is a memory resident virus which infects Boot-sector of drive C: and every 3th .EXE-file being started. When starting the infector creates file '.SYS 2048 bytes longer in root directory of drive C: and writes virus' body and original Boot-sector of C: drive into this file. The file '.SYS have a SYS-format. Then this file marked as deleted (the record in Root directory sector marked as deleted), but really not removed from disk. Into Boot-sector an is writing a program which during booting "restored" file '.SYS and appends to start of the file C:CONFIG.SYS the string "device='.sys". After installation from file '.SYS the virus restores the file CONFIG.SYS (removes the record "device='.sys") and marks as deleted the file '.SYS.
The infector stays resident only from installation from infected Boot-drive. It contains a strings: "NUL", "KIEV", "c:'.sys","CONFIG SYS","device='.sys". The virus play very well the anthem of formed USSR, don't work with >32M drives, hooks INT 8, 21h. |
