|
|
PM_Wanderer.368 Viruses Information
| Name: |
PM_Wanderer.368 |
| Category: |
Viruses |
| Description:
|
Details
PM_Wanderer.3684
This is a protected-mode resident parasitic polymorphic virus named after the text string in its code:
WANDERER,(c) P. Demenuk
The virus infects COM and EXE files (except COMMAND.COM) that are executed or opened. While infecting a file the virus writes itself to the beginning of COM files and to the middle of EXE files (between EXE header and EXE module). The original file code/data is saved to the end of the file.
When an infected file is executed, the virus copies itself to extended memory, switches the system to protected mode and hooks INT 1 (tracing) and INT 9 (keyboard) interrupts. As a result the virus cannot be visible by standard DOS anti-virus or memory browsing utilities.
To hook DOS calls Execute and FileOpen the virus uses i386 debug features. It sets one of the i386 debug breakpoint to the address of INT 21h handler. As a result when control is passed to the INT 21h handler, i386 generates INT 1 call and the virus takes control.
The virus looks for some specific code in the DOS memory (some anti-virus?) and patches its code. The virus does not install itself memory resident if there is no EMS memory available. When MS Windows is run the virus turns off i386 debugging and restores it after Windows finished on the first keystroke (INT 9). The virus is not bug-free and in some cases it halted my test computer. |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Shi
Finnish.35
ACDC.49
Brezhnev.97
Macro.Word97.Po
Win32.Small.141
Macro.Word.Stry
IntMaster Famil
Macro.Word.Berti
November17.52
|
|
