| Description:
|
Details
XPEH Family
These are very dangerous (except for the harmless "XPEH.3600") memory resident parasitic viruses. They trace INT 21h, hook INT 1Ch and 21h, and then write themselves to the end of COM, EXE, OVL files that are loaded into the memory or accessed by DOS functions FindFirst/Next ASCII.
The viruses are encrypted by a quite complex algorithm. They also use an error-correcting code (see Yankee viruses). The viruses "XPEH.3872 and 4048" write the texts "XPEH" to the address 0000:0004 (INT 1) and "????" to 0000:000C (INT 3). Since September 1991 (for "XPEH.3872"), or since December 1991 (for "XPEH.4048"), the viruses have encrypted .BAK, .TXT, and .LEX files - their data is XORed with the word "XPEH".
The "XPEH.4768" virus emulates the DIR command. For this purpose, it contains the following strings:
Directory of
File(s)
bytes free
If the current day coincides with the current month (January,1, February,2, etc.), this virus wipes out all data on the C: disk, displaying in advance the following message in Russian: "If you have a hard drive indicator and it is on, hard disk formatting is going to the end. Best wishes!".
"XPEH.5840" writes the byte C3h (RET) to the beginning of the *SAFE.* files. This virus also contain a text in Russia: "Because a work getting the producing new XPEHs is paused for some time. 1991- MFTI(77)". MFTI is Moscow Physical and Technical Institute. |
