| Description:
|
Details
Div.725
It is a harmless nonmemory resident encrypted parasitic virus. It uses anti-debugging tricks. When an infected file is executed, the virus searches for COM files, then writes itself into middle of the file. It then leaves its copy in the system memory, hooks INT 21h and intercepts file accessing calls, but does not infect files. It seems that virus author did not complete this part of the virus code, so the virus is marked as "nonmemory resident".
The virus splits its code into four blocks (the second block is encrypted) and writes them to file at fixed offsets: 0, 100h, 300h, and to the end of the file. Beforehand the virus saves all erasing data to the end of the file. |
