tenbytes.141
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
TenBytes.1411
This is a dangerous, memory resident parasitic virus. It hooks INT 21h, and writes itself to the end of COM and EXE files that are loaded into the memory. While infecting COM files, the virus writes the 32-byte Jmp-Virus routine to the beginning of the file. In infected EXE files, there are two possible variants of the entry offset in the virus code.
The virus activates only when the interrupt handler contains the word FC80h (this condition is always met if INT 21h points in DOS to the original system handler). Then the virus patches the first five bytes of the INT 21h handler with JMP FAR Loc_Virus instruction, copies itself to the system memory at the address 9800:0000, and does not fix the MCB list. This might halt the computer. The virus also hooks INT 1 and 3, and disables the debugger.
Starting from September 1st, while writing to the disk (INT 21h,AH=40h), the virus changes the address of the data buffer, and as a result, corrupts the data that is saved on the disk.
Copyright @2006 tenbytes.141