| Description:
|
Details
Mendoza.3380
It is a very dangerous memory resident parasitic polymorphic virus. It hooks INT 20h, 21h, 23h, 27h and writes itself to the end of COM and EXE files that are executed or opened.
Being executed the virus decrypts itself, infects the DOSKEYB.COM file (if there is such one) and executes the host file. By hooking the interrupts listed above the virus intercepts the termination of the host file, and stays memory resident.
While executing a file the virus checks the file name and does not infect the files:
COMMAND.COM PCVIR.EXE CLEAN.EXE POWER.EXE SHARE.EXE LOADHI.COM EMM386.EXE
SETVER.EXE
The virus also checks the code of the file and does not infect the files that are packed by PKLITE compression utility. When the infection is complete, the virus searches for the PKLITE.EXE file by using "PATH=" string in Environment area, and executes it to force PKLITE.EXE to compress the file that has been just infected. As a result, the infected files may stay not compressed if there are no PKLITE utility, or compressed by PKLITE, and the infected file length may be lesser than before infection. While compressing a file by the PKLITE utility the virus disables output to the screen to hide the PKLITE activity.
The virus deletes the files CHKLIST.MS and SMARTCHK.CPS. Depending on the system date and time the virus erases the disk sectors, reboots the computer, displays the message:
(c) Mendoza's 1995 |
