| Description:
|
Details
KOV Family
These are very dangerous nonmemory resident parasitic viruses. They search for COM and EXE files, then write themselves to the end of the file. The viruses do not infect the files HW*.* and CO*.*. If file with one of the names V3*.*, TV*.*, KA*.* is found, the viruses delete it and then decrypt and display the message:
Korea VIRUS 1995.3
"KOV.1036" deletes the files: V3*.*, TV*.*, KA*.*, TK*.*, F-*.*, TB*.*, SC*.* and displays the message:
VIRUS: COREA (Type_D) -- by KOV 9192.3.27
KOV.Assassin
These are harmless memory resident parasitic viruses. They hook INT 21h and write themselves to the end of COM and EXE files that are accessed. The viruses check the file names and do not infect files with names containing 'S' or 'V' letters. The viruses also do not infect several anti-viruses and utilities such as CLEAN.EXE, HW.EXE, F-PROT.EXE, TB*.EXE, WC.EXE according to the string (two letters per name):
CLHWTBF-WCTKCOT2IB
The viruses contain the text strings:
[The ASSASSIN (Type A)] 95-03-02
(c) Copyleft 9188-9192 by SVS,Corea
KOV.Eddy
These are very dangerous memory resident parasitic viruses. They hook INT 21h and write themselves to the beginning of COM and to the end of EXE files that are accessed. On GetDiskSpace DOS call (INT 21h, AH=36h) "Eddy.1551" also searches for EXE files and infects them.
The viruses check the file names and do not infect files with names containing 'S' or 'V' letters. The viruses also do not infect several anti-viruses and utilities such as HW.EXE, F-PROT.EXE, TB*.EXE, CLEAN.EXE, WC.EXE according to strings (two letters per name):
"Eddy.1309,1316,1333": HWF-TBCLWC
"Eddy.1326,1482": HWF-TBCLWCCOTK
"Eddy.1551": HWF-TBCLWCCOTKDE
Being executed "Eddy.1482,1551" change the letters on the screen. These viruses depending on the system conditions erase the CMOS.
Depending on the system date:
"Eddy.1309,1333": in March, starting from 14th
"Eddy.1316": in April
"Eddy.1326,1482": in April, starting from 15th
"Eddy.1551": depending on the system timer
the viruses either delete files TV.*, V3.*, TK*.*, KAV*.* on executing, or display the messages:
"Eddy.1309": [Welcome to EDDY! (c) Copyleft 9189-92.3 SVS/COREA]
"Eddy.1316":
[Welcome to EDDY (Type_C) VIRUS (c) Copyleft 9188-92.3 SVS/COREA]
"Eddy.1326": [Welcome to EDDY/D (c) Copyleft 9188-92.3 SVS/COREA]
"Eddy.1333": [Welcome to EDDY! (c) Copyleft 9189-92.3 SVS/COREA]
"Eddy.1482":
[Welcome to EDDY (Type E) VIRUS! 9192(1995).3.22
(c) Copyleft 9188-92 by SVS/COREA
andall Yally lives... somewhere in mind.
"Eddy.1551":
Welcome to
EDDY VIRUS (Type F/Last Ver/50th) 9192.3.25
(c) Copyleft 9188-92 by SVS/COREA
FATHER AND I PART 1 .. N.EX.T .. thank you! bye!!!
KOV.Miny
"Miny1" is a very dangerous nonmemory resident encrypted virus. It searches for .COM and .EXE files and overwrites them. Before returning to DOS it displays one of the messages:
Abnormal Program Termination.
[Miny1]/KV44 --FREEWARE 1995.7.31
Hmm.. Ending version. miss you! Miny1
(c) Copyleft 9192 by KOV of SVS/Corea
"Miny2" are harmless nonmemory resident parasitic viruses. They search for .COM files, then write themselves to the end of the file. They contain the texts:
"Miny2.200: Miny2.200
"Miny2.222: Miny2.222
"Miny2.237: Miny2
In some cases "Miny2.237" displays:
Abnormal Program Termination.
"Miny3" are harmless memory resident parasitic viruses. They hook INT 21h and writes themselves to the end of COM files that are executed. They contain the text: "Miny3". Depending on the system time "Miny3.666" displays:
Miny3
Family:256,300,321,333,444,500,512,543,567,666
KOV.Next
These are not dangerous (except "Next.1722") memory resident encrypted parasitic viruses. They hook INT 21h and write themselves to the end of COM and EXE files that are accessed. On several DOS calls such as ChangeDir and GetDiskSpace they also search for files and infect them. They do not infect several anti-virus programs and utilities (see above) as well as files with names containing 'S' or 'V' letter.
"Next.1722" depending on the system timer erases the files: HW*.*, F-*.*, TB*.*, CL*.*, CO*.*, WC*.*, TK*.*, DE*.*, IB*.*, T2.
Depending on the system timer the viruses display the messages:
"Next.1592":
¦¦¦ ¦ ¦¦¦¦¦ ¦ ¦ ¦ ¦¦¦¦¦
¦ ¦ ¦ ¦¦¦¦¦ ¦ ¦ ¦
¦ ¦ ¦ ¦¦¦¦¦ ¦ ¦
¦ ¦ ¦ ¦¦¦¦¦ ¦
¦ ¦¦¦ ¦¦¦¦¦ ¦ ¦ ¦ (Type_D) VIRUS...
THE WAY TO HOME. by KOV (Knight Of Virus) / Corea 9192/03/25
"Next.1722":
@@@ @ @@@@@ @ @ @ @@@@@
@ @ @ @@@@@ @ @ @
@ @ @ @@@@@ @ @
@ @ @ @@@@@ @
@ @@@ @@@@@ @ @ @ (Type_E/Last Ver.) VIRUS...
(c) KOV (Knight Of Virus)/ Corea 9192/04/02
"Next.1785,1798":
The Return of N.EX.T part I The Being ...
Message from SVS(Seoul Virus Society) 1994/07/26
KOV.Wanderer
These are memory resident viruses. They hook INT 21h and write themselves to beginning of COM and to the end of EXE files that are accessed. "Wanderer.1768" also searches for files and infects them.
"Wanderer.1347" is a harmless virus, it does not manifest itself in any way. "Wanderer.1332" drops a trojan jorse. Other viruses depending on the system time erase disk sector, the CMOS and halt the computer.
The viruses contain the texts:
"Wanderer.1347": [I am a Wanderer ,May 30th,1994 Korea]
"Wanderer.1589":
[The KEEPER by SVS in KOREA,1994/07/08]
Don't use any anti-virus program to cure it.
"Wanderer.1591":
[The KEEPER by SVS in KOREA,1994/07/11]
Warning! Don't use any anti-virus program to cure it.
"Wanderer.1768":
*.EXE
[I am a ASSASSIN by SVS in KOREA,1994/07/16]
Warning?! Don't use any anti-virus program to cure it. |
