fab.175
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
Fab.1755
It is a dangerous memory resident parasitic virus, packed with LzExe utility. It hooks INT 21h and writes itself to the beginning of EXE files that are executed or opened.
While executing an infected file the virus unpacks itself, gets the name of the host file, reads the packed virus code from that file and keeps it in the memory to infect the files. Then the virus allocates the block of the system memory, creates the Program Segment Prefix there, reads the host file to that block, recovers the necessary fields in there, and passes the control to that block, i.e. to the host program.
To stay memory resident the virus patches the MCB list, marks its memory block as system, traces and hooks INT 21h. While tracing INT 21h the virus calls quite unusual routine. The virus allocates the block of the system memory, gets the segment of DOS code by undocumented DOS function, copies the DOS code to that block and fills (erases) the DOS segment with CCh byte (INT 3 call). Then the virus hooks INT 3 and calls INT 21h. That call goes through all INT 21h handlers up to erased DOS segment and reaches CCh opcode. The system generates INT 3 call, the virus receives the control, gets the address of CCh opcode (i.e. the address of original INT 21h handler) and restores the code of DOS segment. As a result the virus traces INT 21h and gets the address of DOS INT 21h handler without hooking INT 1 and does not set the trace flag.
While infecting a file the virus creates the temporary file with the name $$$$$$$$, writes to there its packed code (that the virus reads and keeps while installing memory resident), then appends the code of the file to that temporary file, then deletes the file and renames temporary file.
If an error occurs while installing memory resident, the virus displays the message and returns to DOS:
Error in all?... file
("...?..." is "EXE" in cyrillic coding). Depending on the system timer, if the system is in video mode, the virus calls the random selected DOS function, that can halt the system.
Copyright @2006 fab.175