| Description:
|
Details
Kaczor.4444.a
It is not a dangerous memory resident polymorphic stealth multipartite virus. It traces and hooks INT 13h, 21h and writes itself to the MBR of the hard drive and to EXE files that are accessed on the floppy disks. On accessing to the infected files on the hard drive the virus disinfects them.
While installing memory resident from infected hard drive the virus also temporary hooks INT 12h, 1Ch. On DOS loading it cuts the block of system memory, hooks INT 13h, 21h and resets INT 12h, 1Ch.
That virus is encrypted in memory as well as in the files. The INT 13h, 21h handlers decrypt the code of subroutines before processing them, and then encrypt before return to the original interrupt handlers.
On loading if the keyboard buffer contains the word "kaczor" the virus disinfects MBR and displays:
Zrobione.
If the keyboard buffer contains the word "test", the virus displays the message:
Wersjaall.......
Kodowanie.......
Licznik HD......
and adds corresponding numbers to the ends of these strings.
On March, 3rd the virus hooks INT 8 (timer) and "shakes" the screen. |
