| Description:
|
Details
PFS.3786
This is a benign memory resident encrypted stealth multipartite virus. It infects the MBR of the hard drive and writes itself to the end of COM and EXE files. When an infected file is executed, the virus infects the MBR, hooks INT 21h and stays memory resident. When the system is booted from the infected disk, the virus stays memory resident, hooks INT 8 (timer), wait for DOS loading, then it releases INT 8 and hooks INT 21h.
The virus INT 21h handler hooks more than 10 DOS functions: FindFirst/Next (including long-names calls), open file, close, execute, rename, read, e.t.c. On opening, executing, renaming and file attribute access the virus infects the files. In case of other functions the virus calls its stealth routines.
Plus to file stealth ability the virus uses several quite complex tricks to hide its presence in the system. First of all the virus uses direct disk access calls to bypass BIOS anti-virus protection. To hide its TSR copy the virus leaves in the system memory just 339 bytes of its code - it copies it to the Interrupt Vectors Table. This code contains INT 21h handler that in case of needs reads the complete virus code from the first track of the hard drive and calls it. As a result the virus does not occupy the conventional system memory and is not visible by memory browsers. Depending on the system environment the virus also copies its code to the XMS memory and in case of need reads it from there, not from the hard drive.
The virus contains the text strings:
PowerFul Stealth v6.1 (c)'98 DK eyegabooom |
