Selected viruses, spyware, and other threats: sorted alphabetically

This is a multi-partite, resident, stealth EXE infector. It uses the successful strategy known from the PL viruses and OneHalf respectively. It seems to be another developmental stage of the virus Pieck. When an infected file is being opened the virus tunnels the interrupts INT 13h and INT 21h and hooks them. It tries to infect the MBR and attacks only EXE files which are being transferred to exchangeable media. Upon approaching infected files on the hard disk it disinfects them. Kaczor increases the file length by 4444 bytes. Its date of activation is March 3rd. On that day Kaczor shakes the screen (since the year 1995). In addition, this virus is very well concealed. The body is encrypted even in the memory and only parts that are being implemented are decoded. The reason fir this is to make the virus much harder detectable by the pattern. This virus has two secret “cheats” built in. If you, immediately after starting on the computer (before the system is loaded) write “test” the virus will announce interesting technical data about the infection, as for example:

Wersja ...........2
Kodovanie ........9
Licznik HD .......9

The second “cheat” is even better. If you enter “kaczor” the virus commits suicide, removes itself from the MBR and writes:

Zrobione.
(Meaning: Done.)

The texts in the virus make it clear that the country of origin is Poland.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.