Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Animals.2400

This is a resident coded semi stealth COM and EXE infector with body length of 2400 bytes. There is a rather simple but efficient debugging trick used in its decoder which may cause that some antivirus programmes do not detect the virus. Once the virus is activated, it displays on the 25th day of every month except July, with the probability 1-in-16, the following message:

Toto je ostrá verze viru ANIMALS_97
Zastavte týrání zvírat, sic se Vám to jednou všechno vrátí !!!
Zlej Králík
Zdravím: Mloka, Filtráka, POPa a všechny pekný holky.

After the text is displayed the virus waits till any key is pressed. After that it attempts to deactivate some resident protections - utility NOHARD and NOFLOPPY, VSAFE and the file of antivirus drivers of system TBAV according to the following list:

TBMEMXXX
TBCHKXXX
TBDSKXXX
TBFILXXX

The deactivating routine is a modification of a code originating from the virus EMM: Level_3. The virus checks if it is not already installed in memory. If not, it will reserve 2400 bytes for its own use and move into them. Then it redirects INT 21h and INT 8 to its body. By means of INT 8 the virus sometimes manipulates the settings of video card colours. Suitable files are infected when executed. The virus avoids files that have strings “AV“ and “AN“ in their names and also some other files. It infects COM type files only if their length is between 3525 and 63000 bytes. In the virus body there is the following text:

Díky Vývojár

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.