demiurg.306
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
Demiurg.3061
It is a dangerous memory resident encrypted multipartite stealth virus. It writes itself to the end of COM and EXE files that are created on (copied to) floppy disks, and to the MBR of the hard drive.
While executing an infected file the virus traces INT 13h, 21h, 2Ah, hooks INT 13h and INT 2Ah, then it infects the MBR of the hard drive and stays memory resident. While loading from infected MBR the virus hooks INT 13h, 1Ch, waits for DOS loading process, and then hooks INT 2Ah.
To hook INT 13h the virus patches the DOS kernel in the HMA at fixed offsets. The virus writes to there INT CEh call (CDh CEh) and hooks INT CEh. These offsets are correct for DOS 6.x and may be not correct for other DOS versions. As a result the virus can halt the system. The virus has other bugs, and can halt the system while loading from infected MBR.
The virus INT 13h handler is used to call stealth routine only, and hide the infected MBR. By hooking INT 2Ah the virus receives the control from the DOS kernel, intercepts file accessing calls, and infects the files on the floppy disks only, and that are created and then closed or accessed with FindFirst/Next ASCII calls. While opening an infected file the virus disinfects it.
While opening the A-Dinf-. file the virus checks the system, and in some cases erases its code from the hard drive. While loading from such disk the system halts.
The virus contains the text strings in Russian and:
Demiurg.
LORD
Copyright @2006 demiurg.306