| Description:
|
Details
Urphin.1621
It is not a dangerous memory resident parasitic virus. It hooks INT 21h, 28h and writes itself to the end of COM and EXE files. It infects EXE files that are executed. COM files get infection only on FindNext ASCII DOS call and only on a floppy drive. The virus does not infect the files: *AI?.*, *WEB?.*, *ES?.*, *RA?.*.
When the TPC.EXE file is executed (TurboPascal compiler), the virus also intercepts .PAS files opening (Pascal source files), searches for "BEGIN" line in these files (subroutine header) and writes to there its hexadecimal dump with necessary Pascal instructions. When .PAS files are closed, the virus removes its hex-dump from Pascal source files. As a result, when source Pascal files are being compiled, the virus inserts its code into these files, and the result executable files become the virus droppers.
The virus contains the text strings:
BEGINbegin
URPHIN
ASM
END; |
