| Description:
|
Details
Unknown_II.5559
It is a harmless memory resident polymorphic and stealth parasitic virus. When and infected file is executed, the virus decrypts itself, hooks INT 21h, 22h and executed the host file. To hook INT 21h the virus scans the DOS kernel, patches INT 21h DOS handler with bytes CDh 29h (INT 29h call) and patches INT 29h DOS handler with "JMP FAR Virus" instruction.
The virus traces INT 13h, 21h, 40h, gets their original addresses and uses them while infecting files. The virus infects COM and EXE files (except IBMBIO.COM and IBMDOS.COM) that are accessed. While infecting the virus writes itself to the end of files. On opening an infected file the virus disinfects it.
The virus contains the text strings:
IBMBIO IBMDOS
Unknown 1.0 |
