| Description:
|
Details
Weak.1253
Weak.1253 is a memory resident dangerous parasitic stealth virus. It is compressed by utility PKLITE and after installation it reads its compressed body, saves it in memory and then uses while infection. The virus writes itself into file beginning when the file is created (when file is copied): the virus hooks DOS function Create, creates the file, writes into file the virus body and then returns to DOS. Then DOS appends the file to virus body. Therefore it is not necessary to check INT 24h, the file' date, time and attributes.
While access to file the virus uses the stealth algorithm: it hooks DOS function Lseek (ah=42h) and corrects the read/write pointer so that file looks like a clear. The virus also hooks DOS functions FindFirst and FindNext ASCII and correct the returned length of infected file. But the virus not checks the FCB Find functions and can break some utilities.
During installation into the system memory the virus uses the legal method - int 27h. The virus also corrects the Environment area: sets the owner name to COMMAND.COM. With this method the virus hides itself in memory. It also hooks INT 21h, 22h, 23h, 24h.
The virus contains the text: "Et tu vulneratus es sicut et nos, nostri similis effectus esall". |
