Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically


Dodgy is a boot virus with length of 2 sectors, i.e. 1024 bytes. For its activity it needs a computer with processor type 80186 and higher. It is compatible with the operating system Windows 95.
Upon booting from an infected diskette the virus attacks the hard disk’s MBR. It moves its body to the side one of the hard disk, into the 14th and 15th sector. If the virus is active in memory, instead of displaying these sectors containing the virus, the contents of the 13th sector are displayed. The virus contains a mechanism which should overcome the BIOS protection against boot viruses – it simulates pressing the key “Y” and thus enables write into MBR.

When the virus is activated from the hard disk, it reserves 1 kb of memory below the top of memory, redirects the interrupts INT 8h, INT 13h and INT 40h service to its code, and by means of the interrupt INT 19h it loads the operating system. Virus which has already been active in memory, secures that the original contents of MBR are entered into memory and will not be attacked repeatedly.
The interrupt INT 8h service checks whether the string "PEC=" is in memory. By that the virus effectively finds out whether the operating system has already been loaded. If it was, the virus redirects the interrupts INT 21h and INT 2Fh service to its code .At the same time the virus increases, by manipulating with the variable on the address 0:413h, the amount of system memory by 1 kb. As a result of this activity no decrease of memory caused by virus body can be seen.
The interrupt INT 21h service prevents the anti-virus program RAV from being executed. If any program is run, which has name starting with the string RAV, the virus will execute the activating routine.
By means of the interrupt INT 2Fh service the virus checks loading of the operating system Windows into memory and deletes the diskette controller SYSTEM\IOSUBSYS\HSFLOP.PDR. In case that while working in Windows a program with name starting with the string RAV is executed the virus runs the activating routine, but it does so only after Windows was left.
In addition to this the virus tries to infect the boot sector of each diskette in the drive which is not write-protected. The virus locates its body into the last sectors of the root directory.
The virus contains a dangerous activation routine. Three months after the computer was infected the virus deletes sectors on the disk. When doing so it switches the keyboard off and displays the following text in the graphic mode:

RAVage is wiping data! RP&muRphy

This text is visible at the end of the second sector with the virus body, but it is written backwards in the following form:

yhPRum&PR !atad gnipiw si egaVAR

The activation routine is run also when an attempt is done to execute the anti-virus program RAV. That suggests that the virus originates from Romania.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.