Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Mr. D

For this virus sometimes also names Scroll and Kato are used. This is an 3069>encrypted, memory 3075>resident, parasitic EXE infector. It increases the length of files by 1569 bytes. The virus is encrypted in a rather complicated way using the date of infection. Thanks to this it is much easier to find the source of infection. The author of the virus obviously concentrated his attention to making the virus analysis harder and he did not care much for disabling its detection. The virus hooks the interrupts INT 21h, INT 2Fh and sometimes also INT 1Ch. In the code there are several anti-debug and anti-disassembly tricks, but at the end of the infected file the following not coded text is clearly visible:

Mr. D ,Fuck DHWD from 048030, 048012670020 the worst...

The virus does not attack files containing the strings “VIR”, “MKS”, “AV”, “NV” and “TB” in their names. If it is installed on the 31st day of a month it activates a routine which after some time swaps characters in two different positions on the screen. If the virus is installed during the 11th minute of any hour it activates a routine that gradually moved the screen downwards. Such a variability of activities is quite confusing for many users.

© 1992-2004 ESET s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.