nexiv_der.388
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
Nexiv_Der.3886
It is a very dangerous memory resident polymorphic multipartite virus. It infects the disk boot sectors and COM files only. The virus code is polymorphic in the files as well as in boot sectors.
While executing of infected file the virus infects first boot sector of the hard drive and returns to DOS. While loading from infected sector the virus hooks INT 13h, waits for DOS loading procedure, hooks INT 21h and then infects COM files that are executed and boot sectors of the floppy drives that are accessed.
While loading from infected floppy disk the virus also infects first boot sector of the hard drive.
The virus uses quite complex routine while infecting the COM files. It reads 20h bytes from the file header, checks that the file is of the COM format, hooks INT 3h, INT 13h (another one INT 13h handler), and returns the control to original INT 21h code. While reading the disk files by INT 13h the virus compares the data that is read with these 20h bytes of the file header, and waits for the moment when DOS loads the file into the system memory to execute it. Then the virus patches the first byte of data buffer with CCh code (call to INT 3), and continues INT 13h. As the result when that file is loaded into the system memory the first command that is executed is call to INT 3.
The virus intercepts that call, restores the original byte that is patched with CCh code, then hooks INT 1 (tracing) and traces the file. While tracing the virus skips 256 or more instructions, then waits for JMP or CALL instruction, and overwrites that JMP/CALL with JMP_to_virus code. Then the virus encrypts itself, and saves to the file end.
As the result the virus writes the JMP_to_virus code into the file middle, and the header of the file is not modified.
The virus different conditions while infecting the files to prevent corruption, but anyway it may corrupt the file while infecting them. While infecting the hard drive the virus destroys the C: drive system date, if the hard drive contains 20 or less sectors per track.
The virus does not manifest itself in any other way, it contains the text string:
Nexiv_Der takes on your files
Copyright @2006 nexiv_der.388