| Description:
|
Details
Twin.351
It is a memory resident companion virus: when an .EXE file is executed, the virus creates .COM files with the same name (for example, XCOPY.EXE -> XCOPY.COM) and writes body of the virus into .COM file. After starts the file from DOS prompt DOS finds and runs .COM files first and only then .EXE files. And the first the .COM file (i.e. virus) is started. Then the virus installs and runs the .EXE files with a program.
The virus realizes quite interesting stealth algorithm: it sets the attribute HIDDEN to infected files, hooks INT 21h and controls the FindNext DOS function so that only files without HIDDEN attribute are displayed (in DOS prompt, Norton Commander, XTREE and so on). |
