qphs.293
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
QPHS.2931
It is not a dangerous memory resident multipartite virus. While executing an infected file the virus infects the MBR of the hard drive, hooks INT 9, 13h, 21h and stays memory resident. While infecting the hard drive the virus encrypts the original Partition Table. On reading the MBR the virus calls the stealth routine and returns the Partition Table in its original form.
While loading from infected MBR the virus hooks INT 8, 9, 12h, 13h, waits for DOS loading, and then hooks INT 21h. The virus uses INT 12h to hide itself in the system memory during the DOS installation procedure.
By hooking INT 21h the virus intercepts COM and EXE files opening, execution and searching. The virus writes itself to the end of the files on A: and B: drives only, and disinfects the infected files on other disks.
The virus pays special attention to the execution of LOGIN.EXE file, and saves the command line and entered from keyboard symbols during execution of LOGIN.EXE. By using that trick the virus allows to intercept login commands (user names and passwords).
The virus intercepts the symbols entered from keyboard. On entering the "QPHS" string the virus display the intercepted login commands. On entering the "PERFECT" string the virus disinfects itself in the MBR of the hard drive.
Copyright @2006 qphs.293