noki.44
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
Noki.448
This is a very dangerous, memory resident parasitic virus. While executing, the virus copies its code into the video memory at the address BD00:0000, and saves its code on the hard drive to sector 17 (17/0/0 - sector/track/head). Then the virus copies its INT 21h handler code (39 bytes) into Interrupt Vectors Table, hooks INT 21h, and returns control to the host file.
The virus intercepts the file execution (AX=4B00h), reads its code from hard drive sector 17 to the video memory, and jumps to there. The infection routine gains control, and infects EXE files that have the 448-bytes "cave" of zero bytes. The virus overwrites that cave, and returns from an infection routine. Thus, the file length does not grow during infection.
On the 17th of odd months (January, March,all), the virus corrupts the MBR of the hard drive. The virus contains the following text string:
NOKI
Copyright @2006 noki.44