| Description:
|
Details
Ksenia.3599
This is a dangerous memory resident polymorphic and stealth parasitic virus. It hooks INT 9 and 21h, and writes itself to the end of COM, EXE and SYS files that are accessed. Depending on the system conditions, the virus either hooks INT 21h by a standard method, or traces it and patches it with INT xxh code, where "xx" is randomly selected from the list of unused interrupts.
To detect an already infected file, the virus uses a file date stamp: the current year plus 100. Upon reading infected files and file searching functions, the virus runs its stealth routines; and upon writing to infected files, the virus disinfects them. The virus checks the names of victim files according to the list:
PKZIP,RAR,ARJ,LHA,ARC,DEFRAG,SPEEDISK,CHKDSK,BACKUP,MSBACKUP,SCANDISK,NDD
In case any of these files has been executed, the virus disables its stealth functions. In case the WIN.COM is executed, the virus adds the "/d:c" parameter to the command line. The virus does not infect files if their names begin with the strings:
FI,SC,VS,TB,DR,AV,F-,FP,AD,CO
On Mondays, if a file is executed at 5 minutes past any hour, the virus calls the Novell NetWare function SEND BROADCAST MESSAGE, and sends the message to the Net:
External System Error #05. Connection refused.
On Monday at 17:xx, the virus calls the SYSTEM LOGOUT Novell function.
The INT 9 (keyboard) virus hooker checks keyboard scancodes. If the 'KSENIA' text is entered, the virus displays the text, and halts the computer:
123 4 5 Deadman
On May 5th, when a current disk number is changed, the virus erases data on the current disk.
In additio to the strings listed above, The virus contains the texts:
[KSENIA]
Version 0.99 alpha
Copyright (C) 01/02/99 10:29:34 by Deadman
The Global Project devoted to Ksenia Chizhova |
