| Description:
|
Details
Ira.16384
It is a very dangerous nonmemory resident parasitic virus. It searches for COM and EXE files, then writes itself to the beginning of the file. The virus looks for anti-virus programs and deletes them: ANTI*, DRWEB, AIDS*, AVP*, SCAN, ADINF, FPROT, TBAV, VIR*. The virus also deletes the anti-virus data files: *.AVC, *.MS and *.CP.
While searching for files, reading and writing the virus does not use any DOS calls, but direct hard drive calls instead. These calls are performed by hard drive controller's I/O ports, so the virus avoids any anti-virus protection (except hardware one).
This way of infection is quite complex, so the virus does several checks for the hard drive before infecting files on them, and "supports" FAT16 drives only. Anyway the virus has bugs and may destroy data on disks while infecting.
The "debug" version of the virus displays messages when run:
Processing physical drive
Processing logical drive
Compatibility test done
Drive processed
Executing RULEZ_FOREVER
RULEZ_FOREVER Executed
Executing PROCESS_DIR [cluster ], RECURSIVE
Extension checked - OK
*** Executing SUPER_INFECT ***
Back from recursive subprogram
The virus also contains the text strings:
SZ0MBiE#ID1234
-----------------------------------------------------------------------------
[FIRE] FAT16 Independent Replicative Emulator Copyright (c) 1998 Z0MBiE
Release 1.00[BETA] *** NOT FOR [RE]PUBLISHING IN VX-ZINES, EXCEPT 29A ***
Thanx to S.S.R. & LordASD HomePage: http://www.chat.ru/~z0mbie
----------------------------------------------------------------------------- |
