| Description:
|
Details
Implant.6128
These are very dangerous memory resident polymorphic and stealth multipartite viruses. They affect .COM, .EXE and .SYS files as well as MBR of the hard drive and boot sector of floppy disks.
When an infected file is executed, the virus writes itself to the MBR of the hard drive and returns control to the host program. While loading from infected disk the virus hooks INT 12h, 13h, 1Ch, wait for DOS loading process and hooks INT 21h. Then it writes itself to the end of files that are closed, renamed and on Get/Set File Attributes DOS call. On execution a program the virus stores its name and infects on termination. On opening and reading from infected file the virus runs its stealth routine. On writing to infected files the virus disinfects it. If one of achieving utilities (ARJ, PKZIP, PKLITE, LHA) or BACKUP is active, the virus turns off its stealth routines. When TBAV or SCAN anti-virus is executed, the virus adds new options to the command line, and turns off anti-virus memory scanning. When Windows is executed, the virus adds a parameter to the command line to disable 32-bit disk access, it is logical for multipartite virus.
Some of "Implant" viruses also do not infect anti-virus programs that have names that begin with: 'TB', 'SC', 'F-', 'GU', as well as files with names that contain characters: '0' - '9', 'V', 'MO', 'IO', 'DO', 'IB'.
By hooking INT 13h the virus realizes its stealth routine on accessing to infected disk sectors. On reading from A: drive boot sector the virus infects it. To save its code the virus formats extended track on disk.
On June 4th the virus erases hard drive sectors, beeps and displays the texts:
<<< SuckSexee Automated Intruder >>>
Viral Implant Bio-Coded by Griyo/29A
In 1997 the "Implant.6128" virus was sent by somebody to Internet conferences in the NENA.EXE file that displays a picture of a naked girl. |
