| Description:
|
Details
GraveLion.2250
This is a relatively harmless memory resident multipartite polymorphic virus. When an infected file is executed, the virus infects the MBR of the hard drive and returns to the host program. While loading from an infected disk, the virus hooks INT 8 and INT 9, waits for DOS loading and hooks INT 13h and 21h, and writes itself to the end of COM and EXE files that are executed, opened or renamed.
The virus uses quite a complex stealth routine to hide infected MBR. First, the virus does not put its code to the MBR - it just writes its code to the disk starting from the second disk sector and modifies the address of the active boot sector in the disk Partition Table (see also "Starship" virus). While accessing the infected MBR by INT 13h calls, the virus redirects these calls to the original MBR that is saved in the 7th sector on the disk. When the files B*.EXE, F*.EXE, T*.EXE (direct disk access anti-viruses?) are executed, the virus temporarily disinfects the infected disk.
If an error occurs while loading from an infected disk, the virus displays the following:
Access to Hard Drive deniedall
The virus also contains the text:
[ü ¿ ûÑ"Ñ¡ ] v1.0 Copyright (c) 1995 Grave Lion |
