Main Menu
Home
Bookmark
Contact Us

Categories
  Adware
  Adware Bundler
  AOL Exploit
  Backdoor
  Browser Hijacker
  Browser Plug-in
  Commercial Key Logger
  Commercial Remote Control
  Cookie
  Dialer
  E-Mail Flooder
  Hostile ActiveX Control
  ICQ Exploit
  Joke Program
  Key Logger
  Loader
  Low Risk Adware
  Misc
  Nuker
  P2P
  Password Hijacker
  Potential Privacy Risk
  Potentially Dangerous Tools
  RAT
  Search Hijacker
  Security Disabler
  Spyware
  Stealth Notifier
  Surveillance
  Toolbar
  Trojan
  Trojan Downloader
  Trojan FTP
  Trojan Telnet
  Viruses
  Worm
 


 
Markiz.197 Viruses Information

Name: Markiz.197
Category: Viruses
Description: Details
Markiz.1972

This is a dangerous memory resident encrypted parasitic virus. It traces and hooks INT 21h, then it infects COM and EXE files. The virus contains the text strings:
MARKIZ-4/³1995 [note displayed in HTML version)

This virus uses a quite complex method of infecting files: it encrypts and writes itself to the end of the file, then writes the decryption loop and jump-to-virus instruction to the file middle at the calling address to INT 21h code, which is performed as the first one when the file is executing. While infecting, the virus does not modify the file beginning (except Module Length fields in EXE header):
Not infected file Infected file
+---------------+ +---------------+
ƒall ƒ ƒ... ƒ
ƒ---------------ƒ ƒ---------------ƒ
ƒcall to INT 21hƒ ƒdecryption loopƒ
ƒ---------------ƒ ƒJMP Virus ƒ---
ƒ... ƒ ƒ---------------ƒ ƒ
ƒ... ƒ ƒ... ƒ ƒ
+---------------+ ƒ---------------ƒ<--
ƒvirus ƒ
ƒ ƒ
+---------------+

To fulfill this method, the virus intercepts all INT 21h functions. When any file is being executed (AX=4B00h), the virus turns itself to "infection mode", and returns control to the original INT 21h handler. DOS loads the file into the system memory, and passes control to the file's code. Usually the programs call different INT 21h functions, and the virus intercepts the first of such calls, gets the address of the code that performs it, calculates the offset of that code in the file, and writes its decryption routine and JMP_Virus code to the file at that address.
The virus checks the file to prevent infection of packed files and the verwriting of relocated addresses in EXE files. To do this, the virus compares the code in the memory with the code in the file before overwriting. If these codes are different, the virus does not infect the file.
To detect the termination of the program and turn off the "infection mode," the virus also hooks INT 20h and 27h. This is necessary if the file does not perform any INT 21h calls while working.



Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 72 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win16.Klon.1177 - 42 visits
Win32.Hidra - 42 visits
Marine.500 - 35 visits

Random Viruses Pages:
Macro.Word.Monke
Fair.208
Rexan.59
Mirage.130
Magdzie.111
Apri
Morphine.350
AZ.51
Germ.25
VBS.Har


 

© 2006-2008 spyware32.com - Privacy Policy