| Description:
|
Details
Nephew.2906
These are dangerous memory resident encrypted parasitic viruses. They hook INT 21h and write themselves to the end of COM and EXE files that are executed. The viruses delete the anti-virus data files: CHKLIST.MS, CHKLIST.CPS, ANTI-VIR.DAT, CHKLST.TAV, SMARTCHK.TAV. The viruses do not infect the files: HIEW, SAFE, SOS e.t.c. according to strings (four letters per name):
HIEWSAFESOS./WD.WARNCPAV
ADINANTIAIDSVIRUVIR.SCANRWEBLD.EGUARCLEA
The viruses also attempt to overwrite files from the second string (ANTI, AIDS, VIRU, VIR., SCAN, e.t.c.), but fail to do that because of a bug. They attempts to overwrite these files with a program that displays the message:
+--------------------------------------------------------------------+
| U N R E G I S T E R E D P R O G R A M ! |
+--------------------------------------------------------------------+
This version is NOT freeware, you MUST register it!
Call (+7-095)135-6253, 137-0150
The viruses scan DOS kernel, look for the DSKREET driver and patch its code with a call to virus routine. In this patch the virus sets some flags and depending on them writes some data to last disk directory sectors. It writes by using old style calls only and is able to do that only with disks with 32M or less disk space. The virus also uses
The virus also contains the text string:
(=) Big Nephew (=) |
