Virus.DOS.TakeControl

Class Virus
Platform DOS
Description

Technical Details


It is a dangerous memory resident parasitic polymorphic virus. It
writes itself to the end of EXE files and the COMMAND.COM file. Then an
infected EXE file is executed, the virus infects C:COMMAND.COM and
C:DOSCOMMAND.COM files, if they exist. Then the virus returns the control
to host EXE program. The virus does not warry about internal COMMAND.COM
format and corrupts that file, if it has EXE internal format (Win95
COMMAND.COM).


When an infected COMMAND.COM is executed, the virus hooks INT 21h, stays
memory resident and infects EXE files that are executed.


The virus leaves in memory just a half of its code – about 2.8Kb, while
infecting a file the virus reads its complete code from the C:COMMAND.COM
file, and then writes this code to EXE files.


The virus checks the file names and does not infect the files from the
string (four bytes per name – 3P.E*, AHEL*.*, ALIK*.*, APPE*.* and so on):


3P.EAHELALIKAPPEASTAATTRAVASAVG.AZORBINOBOOTBUILCHKDCLEADEFRDFA.DISK
DOSXDPMIDRVSDSWAEMM3EXE.EXEMEXPAF-PRFASTFC.EFDISFINDGPEGGUARHIEWINI.
INSTINTEKERNKRNLLABELGUAMAKEMANDMEMMMOVEMSBAMSCDMSD.MWBANAV.NLSFPAST
PCC.POWEREX.REPLRESTRTM.SCANSETVSHARSHIESMARSORTSUBSTB.ETEMCTRAPTSAF
UCOMUEXEUNDEVCOPVGUAVIRSVIRTVIRUVIVEVS.EVSHIWIN.WINSWSWAXCOP

Starting from July 1997 the virus displays the message and halts the
computer:

TAKE CONTROL of yor mind, your body and your soul !!!
(I’m taking control of your machine – he, he, he …!)
Replace your C:COMMAND.COM and C:DOSCOMMAND.COM and it’ll be O.K.
… forever!
Zdar Grisofte, McAfee nebo jiny pocitacovy maniaku, jenz tento virus pitvas.
*** Gratuluju ***
>>> Konecne jsi me dekodoval a dostal se az sem. <<< At zije D.J.BOBO a jeho TAKE CONTROL!!! --- Virus napsany specialne na podporu antivirovych firem. --- ### Preji ti uspesny boj se vsemi moznymi viry, jako je tento. ### Grisofte, vase AVG je fakt dobry, ale ve verzi 4.0 pro Windows je dost chyb. No nic, puvodni CS:IP u EXE nebo prvni tri byty u COMMANDu jsou tady --->