Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

Xuxa

This is a family of memory resident, encrypted COM infectors. The only exception is the version Xuxa.1656 which attacks in addition also EXE files. Their common feature is the effort to turn off the resident protection Vsafe.

Xuxa.1037, Xuxa.1088, Xuxa.1096
These COM infectors try to execute the file C:\DOS\FORMAT.COM at each run of the infected file. They only attack files at their opening but they avoid the file COMMAND.COM. A condition for infection is with the variants Xuxa.1037 and Xuxa 1047 size of a file in the range from 300 to 62000 bytes. Depending on the system date the viruses “hang up” the system and write the following text on the screen:

Xuxa.1037: Si no viste el Show de Xuxa por T.V, ni en vivo... ahora podes verlo en tu PC!. - XOU DA XUXA 1.0 By Leviathan.
Xuxa.1088: Si no viste el Show de Xuxa por T.V, ni en vivo... ahora podes verlo en tu PC!. - XOU DA XUXA 1.2 By Leviathan.
Xuxa.1096: Si no viste el Show de Xuxa por T.V, ni en vivo... ahora podes verlo en tu ' PC!. - XOU DA XUXA 1.2 ' By Leviathan.

Different strings in the virus code specify names of files which are run (C:/DOS/FORMAT.COM), are not infected (COMMAND.COM) or are deleted if the virus finds them (CHKLIST.MS and ANTI-VIR.DAT).

Xuxa.1656
This variant differs from the previous ones in two things: it infects also EXE files and has a simple stealth procedure added. When infecting, it redirects the interrupt INT 24h service. Instead of the interrupt INT 21h it uses INT 3, after it ensured the identical function of that interrupt. It attacks files of length between 4096 and 61000 bytes. It does not attack programs with names starting with 'TB', 'SCA', 'SOL', 'TOO', 'CP' and 'F-'. It deletes the following files:

CHKIBM CHKLIST.MS ANTI-VIR.DAT CHKLIST.CPS

On Fridays in March, between 9 and 11 in the morning, the virus “hangs up” the system and writes the following text on the screen:

Xuxa Park 1.0 t By Hades',0Ah; ... "Y luchemos para que todos los ninos delmundo tengan derecho a sonar, a sonar, por igual"

The virus contains also the following string in its encrypted body:

COMSPEC=COMMAND

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.