| Description:
|
Details
Em.1303
It is a dangerous not memory resident encrypted parasitic virus. While execution of infected EXE-file the virus opens the C:AUTOEXEC.BAT file, reads the file contents, searches for the line which begins with "path" or "PATH" strings, and inserts the line "em" as the next line:
all
PATH= ...
em
...
Then the virus creates the C:EM.COM file and writes the encrypted virus body (1303 bytes) into there, so the virus creates its COM-dropper. Then the virus returns the control to the host EXE-file.
During execution of the virus dropper EM.COM (when "infected" AUTOEXEC.BAT receives the control) the virus searches for all .EXE-files on C: drive and writes itself to the files end.
On 28th of any month the virus calls the trigger routine. That routine scans the disk for all directory objects (files, subdirectories and volume labels) by using absolute disk read/write functions INT 25h/26h, and replaces the first letter of the objects name with SPACE character (20h), after such correction DOS cannot access these files/subdirectories.
The virus contains the internal text strings:
path
PATH
em.com c: autoexec.bat c:*.* *.exe |
