Virus.DOS.Kontragapi

Class Virus
Platform DOS
Description

Technical Details


It is a dangerous memory resident polymorphic parasitic virus. The
virus does work only if system date’s year is 1998, otherwise the virus
does not install itself into the system memory. While installing the virus
hooks INT 21h and writes itself to the end of COM files that are accessed.
The virus corrupts several anti-virus programs: if filename begins with F-,
TB, AV, VIR, SCAN, KILL (F-PROT, TBAV, AVP etc), the virus writes to the
file header a small program that displays the message:


kontragapi

This is the “Entry Point Obscuring” virus, i.e. there is no JMP_Virus
instruction at the file header. The virus uses one of standard tricks to
write the JMP_Virus to the middle of the file: it reads file header,
disassembles it at looks for suitable place for the JMP_Virus code.