| Description:
|
Details
CmosDead family
These are very dangerous memory resident parasitic polymorphic and stealth viruses. They trace and hook INT 21h, stay memory resident and then write themselves to the end of COM and EXE files that are accessed. The viruses do not infect the anti-virus programs and several utilities:
AVG SYS SCAN CLEAN WIN TBAV PROT GUARD VS 286 386 DSK
When CHKDSK is run, the viruses disable their stealth routines. In some cases when listed above programs are executed, the viruses display the message and disable executing:
I don't like this program !
The viruses use anti-debug tricks. Under debugger they display the message and halt the computer:
BE CAREFUL !
Depending on their internal counters the viruses hook INT 9 (keyboard), corrupt the CMOS, display the message:
GRISOFT(c) SOFTWARE 1989,96
and manifest themselves with a video effect. If Ctrl-Alt-Del keys are pressed during effect, the viruses call disk formatting BIOS routine.
In some cases the viruses call the same effect routine, then they overwrite the MBR of the hard drive with a program that displays on booting:
CMOS-DEAD: DATA DESTROYED !
The viruses also contain the text string:
Hello Mr. Odehnal !
as well as:
"Odehnal.4792": EXECOM12/19/91
"Odehnal.5154": EXECOM06/12/95 |
