Selected viruses, spyware, and other threats: sorted alphabetically
The author of this family of viruses is known under the nickname Priest and he proclaims that he belongs to the group Phalcon/Skism.
This is a resident encrypted stealth virus. When infected file is executed the virus will install itself into memory. It will redirect the interrupt INT 21h and INT 13h to its code in memory. It infects only COM type files longer than 1000 bytes when they are executed or opened. After reading a random number of sectors through INT 13h it will randomly alternate one byte. It marks the files so that 100 years are added to the year of the file origin. In the body of the virus there is the following encrypted text:
Predator virus (c) Mar. 93 Priest .COM
Predator.1063, Predator.1137, Predator.1148, Predator.1154,Predator.1195
Apart from minute differences in the virus code there are alternations in the text encrypted in the virus. The text reads as follows:
Predator virus (c) Mar. 93 In memory of all those who were killed... Wookies ain't the only ones that drop! Priest
Text encrypted in the virus reads as follows:
Predator Strain B (c) 1993 Priest - Phalcon/Skism
This is a resident, encrypted, stealth, multi-partite COM and EXE infector. Files are being infected when they are executed and opened. Upon infecting the files their extension is being checked on presence of COM characters. In case of agreement the file is infected as COM file. If there is an EXE header present the virus will infect such a file as an EXE one. When the file is executed the virus infects hard disk’s MBR. The virus then infects files as well as diskettes, and that makes it different from most of other multi-partite viruses.
© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.