Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


Cawber is a partially coded EXE infector with implemented stealth technology. It attacks files after they are executed by adding its body to the files end. The virus controls its presence in memory so that CS and SS are identical already at the start of the infected file, and at CS: 0 the identifier “T4” is seen. At the beginning of the virus body the DOS version is being found out. The virus controls this sub-function, and if it finds presence of an identifier it starts the infected program. This is not a typical way how viruses find out their presence in memory. Another peculiarity is the way in which the virus redirects interrupt INT 21h to its own body. There is a coded text in the body


and the following fragment of an artist’s work:

There Once Was A King, Who Called For The Spring
For His World Was Still Covered In Snow
But The Spring Had Not Been, For He Was Wicked And Mean ...
Here I'm Sitting And It's Getting Cold
The Morning Rains Against My Window Pane
While The World Looks So Cold And Grey
In My Mind I Dream Away
Then I'm On My Way To Tropic Islands
You'd Always Say I Was A Dreamer
You Were Right
What Do I Say When It's All Over ?
And SORRY Seems To Be The Hardest Word ...

The virus uses this fragment for its destructive activity. On certain days of the year, when for writing into the file “file handle” at least 5 is used, the above mentioned text will be written into the file instead of data, and the rest will be formed by random bytes.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.