Monkey is a memory resident infector of the hard disk Master Boot Record (MBR) and the boot sector of diskettes. It is a stealth virus, hiding the infection of the hard disk and diskettes when it is memory resident.Indications of Infection
The first time the system is booted with a diskette infected with the Monkey virus, the virus becomes memory resident and also infects the hard disk MBR. The virus moves interrupt 12's return to 9FC0. On the system hard disk, the virus will write one sector of viral code at Side 0, Cylinder 0, Sector 3, and then alters the MBR to point to this sector. Monkey also encrypts the MBR and relocates it to the third sector of hard disk.
Once the Monkey virus is memory resident, it will infect non-write protected diskettes as they are accessed on the system.
Total system and available free memory decreases by 1,024 bytes. On 360K 5.25" diskettes, the virus will write a sector of code at Sector 11, the last sector of the root directory, and then alter the boot sector. On 1.2M 6.25" diskettes, the sector of viral code is at sector 28 (also the last sector of the root directory). If directory entries were originally located in the directory sectors overwritten, the corresponding files are inaccessible.Concept
Accessing the C: drive after booting from a non-infected system diskette results in the message:
"Invalid drive specification"
Diskette directories may also be corrupted.
Concept is a small, yet sophisticated program that attaches itself to Word documents. Concept is a macro virus. It is not particularly destructive, but can be annoying. The Concept virus creates a change with the "Save As" function. The user will not be able to choose the drive or the type of file when saving documents. The "TEMPLATES" radio button will be grayed. The macro will cause the document to behave as a template file.Indications of Infection
Upon infection, the virus searches for the macros, "Payload" and "FileSaveAs" among NORMAL.DOT templates. If either of these macros exist, Concept assumes that the system is already infected, and aborts. If neither of these files exist, it begins its infection process by copying its viral macros to the template and displaying a dialog box, which contains the number "1".
Once a Macro virus is running, it can copy itself to other documents, delete files, and create general problems in a system. These things occur without the user explicitly running the macro. Once Concept is active on a system, it adds the following macros: AAAZAO, AAAZFS, and Payload. Two additional macros appear called "AutoOpen" and "FileSaveAs". If these macros existed previously, the contents will be changed. These macros can be viewed in the TOOLS, MACRO menu.
Concept.H is a variant of the Concept virus. The macro names have changed. The AAA* macros are now CRYPTIC and CITPYRC.
A small dialog box may appear on the screen displaying the numeral "1". The following macros also exist:The Payload macro contains the message:
AAAZAO
AAAZFS
AutoOpen
FileSaveAs
PayLoad
Sub MAINAntiEXE
REM That's enough to prove my point
End Sub
The AntiEXE virus overwrites the Master Boot Record (MBR) of your hard drive. The virus contains all of the standard information of a normal MBR. The virus is destructive in one circumstance, if the user presses the key combination of Ctrl and Break, while the virus is accessing the disk, then the virus overwrites the first 8 sectors of every head and track on the drive starting at Side 0, Sector 4.Indications of Infection
AntiEXE is a memory resident, stealth, Master Boot Record/Boot Sector infector. When a user attempts to boot from an AntiEXE infected diskette (the boot does not need to be successful), the virus activates itself in memory and overwrites the system hard disk Master Boot Record without saving a copy.
When AntiEXE infects a diskette, it moves the original boot sector of the diskette to the last sector in the root directory.
AntiEXE 'hides' from anti-virus software by displaying an uninfected sector, when an attempt is made to access the hard drive (Stealth techniques). Thus detection of AntiEXE is difficult.
Total system memory decreases by 1,024 bytes. AntiEXE also targets and corrupts files of 200,256 bytes in length.NYB
NYB is a memory resident Master Boot Record (MBR)/Boot Sector infector. It is a "Stealth" virus. MBR/Boot Sector viruses are some of the most successful viruses. They are fairly easy to write, and they take control of the computer at a low level.Indications of Infection
The first time a system is booted form a diskette infected with the NYB virus, NYB will become memory resident at the top of system memory but below the 640K boundary. Also at this time, the virus will infect the MBR. Once NYB is memory resident, it will infect diskettes when they are accessed on the infected system.
On double density 5.25" diskettes, the original boot sector will have been relocated to sector 11. On high density 5.25" diskettes, the original boot sector will have been relocated to sector 28. In both cases, these sectors are the last sector of the root directory of the diskette, any files whose directory entries were in these sectors will be lost.
NYB uses stealth techniques to avoid detection on the system hard disk as well as on diskettes. If you suspect that you have the NYB virus, power off the system and reboot from a clean write-protected diskette, then check the system hard disk for the virus.
Total system memory, as indicated by the DOS CKDSK program, decreases by 1,024 bytes. NYB does not contain any messages which are displayed on boot. Infected systems may experience intermittent seek errors upon disk accesses.AntiCMOS
AntiCMOS is capable of erasing the system's CMOS or Setup information, but does not infect files on the system. Additionally, because this virus makes changes to the system's Master Boot Record (MBR), the user may experience problems during the boot-up process.Indications of Infection
AntiCMOS is an MBR/Boot Sector infector. When a user attempts to boot from an AntiCMOS infected diskette (the boot does not need to be successful), the virus will infect the system's hard disk MBR, however it does not become memory resident at this time. AntiCMOS becomes memory resident the next time the system is booted from the newly infected hard drive.
When the AntiCMOS virus is memory resident, total system and available free memory decreases by approximately 2,048 bytes. The payload for AntiCMOS is the erasure of CMOS and system setup information.WAZZU
Wazzu is a small, program that attaches itself to Word documents. It is a macro virus. Wazzu contains 1 macro, AutoOpen, which it uses to infect and spread throughout the Word environment.Indications of InfectionWhen Wazzu is active in word, it infects documents as they are opened.
Infected documents may have the word "wazzu" inserted in the document and/or up to 3 words rearranged.FORMAll infected documents insist on being saved in the template directory.
Wazzu.F, a variant of Wazzu, displays the following text string:
Form is a Boot Sector, memory resident virus. The Form virus inhabits both a portion of high DOS memory and also the last two sectors on the hard drive. The virus does not infect files. Usually there is no damage done to data on the hard drive. However, it may corrupt the contents of infected diskettes.Indications of Infection
On the hard drive, Form moves the original boot sector and a portion of itself and stores it in the last two sectors of the infected hard drive. If these sectors are overwritten by data at a later date, the system may hang during the boot-up process. However, you may still access the drive.
Form creates bad sectors on floppy diskettes. The virus is stored in the second sector of the diskette, and relocates the original data into the unused section of the File Allocation Table (FAT). The area of the FAT where the code is stored is marked as bad, so that the information will be preserved and remain undamaged.
One indication of the Form virus is a clicking noise produced when any key on the keyboard is pressed on the 18th day of any month. Please note that if a keyboard driver is used, the clicking noise is undetectable.Stealth_C
Another symptom of infection is that your system will hang on a failed disk read.
Stealth_C is a memory resident, stealth virus which infects the system's Master Boot Record (MBR) and diskette Boot Sectors.Indications of Infection
Upon infection, Stealth_C will become memory resident at the top of system memory but below the 640K DOS boundary. Stealth_C will also infect the Master Boot Record at this time.
Once the Stealth_C virus is memory resident, it will infect diskette boot sectors when non-write protected diskettes are accessed. Upon infection, Stealth_C will move the original boot sector to the last sector on the diskette.
This virus is a full stealth virus, hiding the infection on the system's hard disk and diskette boot sectors when the virus is memory resident. Therefore, it is important to be sure that the virus is not memory resident before attempting to scan a possibly infected system or diskette(s).
Systems infected with Stealth_C may experience difficulty loading some drivers and memory management software into memory, resulting in operational difficulties with programs which access upper memory blocks, such as Windows. It may also cause 32-bit disk or file access to be disabled.MDMA
Stealth_C causes the total system and available free memory, to decrease by 4,096 bytes.
MDMA is a macro virus, which infects documents in the Microsoft Word environment. MDMA is destructive and has the potential to delete files. This virus infects across many platforms: Windows, Windows 95, Macintosh and Windows NT.Indications of Infection
MDMA infects NORMAL.DOT and files using the AutoClose macro. Upon closing a document, it will be saved as a template with a copy of AutoClose.
MDMA activates on the first day of the month, if the virus is executed. The payloads for MDMA are as follows (organized according to operating system):The following text is displayed in a message box:
On Macintosh: Kill MacID$("****") (deletes all files)On Windows 3.x: Kill "c:\shmk."; "deltree /y c:" is added to autoexec.bat
"You are infected with MDMA_DMV. Brought to you by MDMA (Many Delinquent Modern Anarchists)." In the more destructive variant MDMA.C, the trigger date is altered. If the infected system is running Windows 3.1x, Windows NT or Windows 95, the trigger day is from the 21st to the 31st of the month. However, if an infected system is running under the Macintosh environment, the trigger day any is greater than the 4th of the month. The above mentioned payloads are the same.Junkie
The MDMA.A macro virus contains this following macro when it infects a DOC or DOT file:
Junkie is a multi-partite, memory resident, encrypting virus. Junkie specifically targets .COM files, the DOS boot sector on floppy diskettes and the Master Boot Record (MBR).Indications of Infection
When initial infection is in the form of a file infecting virus, Junkie infects the MBR or floppy boot sector, disables VSafe (an anti-virus terminate-and-stay-resident program (TSR), which is included with MS-DOS 6.X) and loads itself at Side 0, Cylinder 0, Sectors 4 and 5. The virus does not become memory resident, or infect files at this time. Later when the system is booted from the system hard disk, the Junkie virus becomes memory resident at the top of system memory but below the 640K DOS boundary, moving interrupt 12's returns. Once memory resident, Junkie begins infecting .COM files as they are executed, and corrupts .COM files.
The Junkie virus infects diskette boot sectors as they are accessed. The virus will write a copy of itself to the last track of the diskette, and then alter the boot sector to point to this code. On high density 5.25 inch diskettes, the viral code will be located on Cylinder 79, Side 1, Sectors 8 and 9.
This virus will cause .COM and .EXE files to grow in length by 1,030 to 1,042 bytes, with the virus inserted at the end of the file. CHKDSK also reports a decrease of 3,072 of total system and available free memory. This decrease may cause memory conflicts.Junkie contains two encrypted messages:
"Dr White -Sweden 1994"
"Junkie Virus - Written in Malmo...MO1D"These messages are not visible in files, but can be viewed in memory.
No comments:
Post a Comment