| Description:
|
Details
V.6000
It is a dangerous memory resident polymorphic stealth multipartite virus. While executing an infected file or loading from infected floppy disk that virus writes itself to the MBR of the hard drive. The virus stays memory resident on loading from infected MBR only, it hooks INT 8, 13h, 17h, 1Ch, 20h, 21h, 25h, 26h, 27h and writes itself to the end of COM and EXE files that are accessed, or on the program termination. Depending on its internal counter the virus searches for the files and infects them. The virus checks the file names and does not infect the files:
COMMAND.COM, GDI.EXE, DOSX.EXE, WIN386.EXE, KRNL286.EXE, KRNL386.EXE,
USER.EXE, WSWAP.EXE, CHKDSK.EXE
On accessing to a floppy disk the virus writes itself to the boot sector. Depending on its internal counters and under debuggers the virus erases the CMOS and the hard drive sectors.
The virus uses a complex algorithm allowing the virus to stay memory resident after cold reboot and loading from a clean DOS floppy disk. On installation the virus stores the CMOS memory that keeps the information about floppy drives and sets that info to zero (i.e. the virus emulates situation when no floppy drives are installed). On accessing to disks the virus temporary restores the CMOS and then erases these fields again. On any (cold or warm) reboot the system checks the CMOS, does not detect the floppy disks and passes the control to the MBR of hard drive. As a result the virus in the MBR receives the control, installs itself into the memory and then passes the control to the floppy disk loader. As a result the virus stays memory resident after loading from a clean write-protected disk. |
