cascade.149
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
Cascade.1491
This is a memory resident virus. Its body except for the beginning (first 32 bytes) is encoded. As a key the length of the infected file is used. That is why two strains of the same virus in most cases will coincide only in the first 32 bytes.
As an infected program is executed, the control of the JMP command is transferred to the beginning of the virus. By first commands the virus determines the length of the source file and deciphers its body.
On creating its memory-resident copy the virus:
copies its body into the highest addresses of the memory;
moves the body of the main program into the highest addresses of the memory;
moves the virus body into cleared area above the main program body;
sets INT 1Ch, 21h, 28h to its own copy.
all ... ... ...
+--------- +--------- +--------- +---------
Program Program --+ Free +-->Virus
memory
+--------- +---------
+--------- +--------- +-->Program Program
Virus --+ Virus
+--------- +--------- +--------- +---------
... +-->Virus Virus --+ ...
(copy)
+--------- +---------
... ...
The virus affects only COM files as it's loaded into the memory for execution. Infection is carried out by standard method. Most widely spread versions of this virus does not reinfect files.
The virus changes interrupt vectors 1Ch, 21h and 28h. It also produces a specific video-effect: crumbling down of letters on the screen; does not have destructive functions.
Sometimes it displays the message:
IL SISTEMA FOTTUTO!!
S.E.K. VIRUS Made in ITALY RM
5iD G.Ferraris 90/91 (c)
Then it erases the disk sectors. It also deletes CHKLIST.CPS file.
Copyright @2006 cascade.149