zohra.416
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
Zohra.4160
These are not dangerous memory resident parasitic polymorphic viruses. They hook INT 21h and write themselves to the end of COM and EXE files that are executed. They do not infect files, if file name contains one of sub-strings: TB, AV, SC, IV (TBAV, AVP, NAV, SCAN, all). The viruses also remove themselves from memory if WIN.EXE file is executed and "hide" their TSR code when MEM.EXE is executed.
The viruses use quite complex way to get original address of INT 21h handler - they disassemble code of INT 21h handlers up to the original handler in DOS kernel.
On April 14th the viruses display the message:
Zohra will live forever ! Necromancy with her...
They also contain the text:
[Zohra] virus by Wintermute/29A, dedicated to the best Necromancer of the
Forgotten Realms,... I assure you will live forever, my love... ;)
Copyright @2006 zohra.416