Selected viruses, spyware, and other threats: sorted alphabetically

This is a parasitic, memory resident, polymorphic, stealth COM and EXE infector. When an infected program is executed the virus hooks the interrupt INT 21h. It deactivates the resident drivers TBAV and certainly also CPAV - MSAV (what is technically much smaller problem). It infects files when they are being run and closed by writing itself to their end. Before that the virus checks whether they do not have one of the strings: VIR, SCAN, CLEA, ANTI, CPAV, GUAR, SHIEL, KIT, TRAP, PAST, SOLO, TBAV, MSAV in their name. If a filename contains such a string that file is not attacked. The virus does not avoid the file COMMAND.COM. Furthermore the virus tries to disable the integrity check. Its stealth works as follows: when an infected file is opened the virus withdraws and upon closing the file it attacks it again. When some utilities are run the virus cancels its disguise. This virus is activated on February 20th. On this day (with smaller chance also on following days) it writes the text:

Ja som virus Lion King Formatujem ti disk lebo devastujes prirodu
(Meaning: I am virus Lion King. I format your disk because you devastate the nature.)

The text is written, no doubt, in green colour and it deceives (perhaps intentionally) the viewer. The virus does not format the disk but it overwrites the side zero on all hard disk cylinders by the contents of video RAM. In the virus body there is another text string:

Vypadni z tejto casti RAM!
(Meaning: Get off of this part of RAM!)

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.