ravensys.132
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
RavenSys.1324
It is not a dangerous memory resident parasitic virus. It writes itself to the end of SYS files (device drivers). The header of the virus contains the text: "RAVEN00X". The virus hooks INT 21h, intercepts Exec DOS call (4Bh) and on executing any program searches for SYS files and infects them.
When an infected driver is loaded into the memory, the virus hooks INT 21h and stays memory resident. It does it in two different ways depending on the system conditions. In case of first way, the virus leaves its TSR copy at the same addresses as being loaded. Then it waits for DOS system ChangeMemory call (AH=4Ah), allocates new block of memory and copies itself to there. In case of second way the virus writes its code on the first track of the hard drive (not used sectors) and copies its "loader's" (90 bytes) code to Interrupt Vectors Table. Then it, the same as in case of first way, waits for ChangeMemory DOS call, allocates a block of memory, and reads to there its code from the hard drive.
While installing memory resident the virus displays the message:
+-+---- Raven Sys Infector 1.0 ----+-+
+-+-----------------------------------------------------------------+-+
+--+ Created By Stone Shadow +-:-
+-:-+ Copyright (c) 1995 - 96 By COEAC Viral System Development. +--
+-+-----------------------------------------------------------------+-+
+-+--- Creatures Of Electronic Anti Christ ---+-+
Copyright @2006 ravensys.132