| Description:
|
Details
Oeur.3072
This is a dangerous memory resident multipartite virus. Upon loading from an infected file, it hits the hard-drive MBR, and upon installation in a system memory, it hooks INT 13h, 21h, and F5h. Upon loading from an infected MBR, it also hooks INT 1Ch, which summons an installation routine when DOS is loaded in the system memory. Upon calling to the ChDir DOS command, the virus summons INT F5 that searches for EXE files, and writes the virus code to their ends. INT 13h is used to perform a stealth algorithm upon access to the infected MBR. In October, this virus overwrites disk sectors with data, which contains the string "oeur934" at the beginning. It contains internal text strings, and on Friday, it displays them backwards:
$?! ynnuf uoy erA
$.akrakurD all eis im izduN
$.draobyeK ... em ssiK
$!!! EVITCAOIDAR si KSID DRAH ruoY
$!!! em KCUF ton oD
$:A evird otni AZZIP tresnI ! yrgnuh ma J
$setteksid owt era :A evird nI ! gninraW
$$ejeiwezdr rosecorp jowT
$emsat agaicw :C ajcats agawU
$tceted rosecorp 4XD687 oN ! gninraW
$yob diputs uoY
$.K ZSUIRAM ... .J ECZSEINGA ejukydyd asuriw ogeT
$AGA evol J
$noisrev SOD tnerrocnI
$selif erom oN
$$selif desolc ynam ooT
$noitcerder etacilpuD
$hctamsim egap edoC
$deinad sseccA
$sroloc eerhct si AGV ruoY
$ydaer ton SME
$SURIV rof yromeM etacolla tonnaC
$sretemarap KCATS dilavnI
$fys ot AGIMA
$moniks creimS
$$LUCSOK zrpeiP
$hcanalg w eizdjyzrp suzeJ
$NATAS EVA
$azorgz oT
$aselaW z zcerP
$!! corw AGA
$RAWONAM evol J
$daed si - PAR - OKSID - ONHET
$yladep ot ylap esyL
$ycicam jem do zcerp eceR
$! iwoloi
$?! ynnuf uoy erA
$.akrakurD ... eis im izduN
$.draobyeK ... em ssiK |
