| Description:
|
Details
Sailor family
These are memory resident parasitic viruses. They hook INT 21h and write themselves to the end of executable files:
"Sailor.785": EXE on execution
"Sailor.834": COM on execution
"Sailor.1108": COM and EXE on execution, renaming
and on Get/Set File Attributes DOS call
The viruses contain the text strings:
"Sailor.785": Sailor.Venus -b0z0/iKx-
"Sailor.834": Sailor.Mercury -b0z0/iKx-
ANTI-VIR.DAT CHKLIST.MS
"Sailor.1108": Sailor.Mars -b0z0/iKx-
TBAVF-VISCITIVFINACO
"Sailor.785" is the polymorphic virus, it does not manifest itself in any way.
"Sailor.834" deletes the files: ANTI-VIR.DAT, CHKLIST.MS. When the files *VP.* (AVP), *RO.* (AVPRO) or *OT.* (F-PROT) are executed, the virus disables its infection routine.
"Sailor.1108" encrypts itself in quite complex way - while infecting a file it writes itself backward byte-by-byte except INTxx opcodes (CDxx). This routine has a bug, and in some cases the virus encrypts the files incorrectly, and they halt the system when executed. This virus does not infect several anti-viruses (TBAV, AVP, F-PROT,all see the string above) as well as COMMAND.COM file.
Sailor.Neptune.938
It is a harmless memory resident encrypted parasitic virus. It hooks INT 21h and infects COM files that are executed. While infecting a file the virus reads a block of file's data, encrypts it and saves to the end of the file, then it writes itself instead of this block to the middle of the file. The virus does not manifest itself in any way, it contains the text strings:
Sailor_Neptune
-b0z0/iKx-
Sailor.Pluto.3673
It is a dangerous memory resident parasitic polymorphic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed. The virus has bugs and infected files may halt the computer. The virus checks the file names and does not infect several anti-viruses and COMMAND.COM according to the string (two letters per name - TBAV, AVP, F-PROT and so on):
TBAVF-SCMSFINACO
The virus contains the text strings:
Sailor_Pluto
-b0z0/iKx-
PADANIA - 1997
Chaos is the future and beyond it is Freedom
[SMPE 0.2]
Sailor.Saturn.4553
It is a dangerous memory resident polymorphic parasitic virus. The virus uses quite complex polymorphic engine, the size of the polymorphic decryption code may exceed 6K.
The virus hooks INT 21h and writes itself to the end of EXE files that are executed or accessed by FindFile DOS functions. It does not infect files on floppy disks, as well as files with digits in their names. It archivers and other utilities are started (PKZIP, LHA, ARJ, XCOPY, BACKUP), the virus disables some of its routines. When anti-virus programs AVP/AVPLITE are started, the virus adds to the command line options that disable memory scanning and heuristic analysis; the same for TBAV anti-virus.
On September 14th the virus writes to the MBR of the hard disk a trojan code, which displays a picture and waits a keyboard input "Free Panadia", and then continues booting the computer.
The virus contains the text string:
Sailor_Saturn -b0z0/iKx- Free Padania [SMPE 0.3] |
