Kaspersky Threats — TakeControl

Class

Platform

Description

Technical Details

It is a dangerous memory resident parasitic polymorphic virus. It
writes itself to the end of EXE files and the COMMAND.COM file. Then an
infected EXE file is executed, the virus infects C:COMMAND.COM and
C:DOSCOMMAND.COM files, if they exist. Then the virus returns the control
to host EXE program. The virus does not warry about internal COMMAND.COM
format and corrupts that file, if it has EXE internal format (Win95
COMMAND.COM).

When an infected COMMAND.COM is executed, the virus hooks INT 21h, stays
memory resident and infects EXE files that are executed.

The virus leaves in memory just a half of its code – about 2.8Kb, while
infecting a file the virus reads its complete code from the C:COMMAND.COM
file, and then writes this code to EXE files.

The virus checks the file names and does not infect the files from the
string (four bytes per name – 3P.E*, AHEL*.*, ALIK*.*, APPE*.* and so on):



3P.EAHELALIKAPPEASTAATTRAVASAVG.AZORBINOBOOTBUILCHKDCLEADEFRDFA.DISK

DOSXDPMIDRVSDSWAEMM3EXE.EXEMEXPAF-PRFASTFC.EFDISFINDGPEGGUARHIEWINI.

INSTINTEKERNKRNLLABELGUAMAKEMANDMEMMMOVEMSBAMSCDMSD.MWBANAV.NLSFPAST

PCC.POWEREX.REPLRESTRTM.SCANSETVSHARSHIESMARSORTSUBSTB.ETEMCTRAPTSAF

UCOMUEXEUNDEVCOPVGUAVIRSVIRTVIRUVIVEVS.EVSHIWIN.WINSWSWAXCOP

Starting from July 1997 the virus displays the message and halts the
computer:



TAKE CONTROL of yor mind, your body and your soul !!!

(I’m taking control of your machine – he, he, he …!)

Replace your C:COMMAND.COM and C:DOSCOMMAND.COM and it’ll be O.K.

… forever!

Zdar Grisofte, McAfee nebo jiny pocitacovy maniaku, jenz tento virus pitvas.

*** Gratuluju ***

>>> Konecne jsi me dekodoval a dostal se az sem. <<<
    At zije D.J.BOBO a jeho TAKE CONTROL!!!    
--- Virus napsany specialne na podporu antivirovych firem. ---
### Preji ti uspesny boj se vsemi moznymi viry, jako je tento. ###
Grisofte, vase AVG je fakt dobry, ale ve verzi 4.0 pro Windows je dost chyb.
No nic, puvodni CS:IP u EXE nebo prvni tri byty u COMMANDu jsou tady --->

Find out the statistics of the threats spreading in your region

Class	Virus
Platform	DOS
Description	Technical Details It is a dangerous memory resident parasitic polymorphic virus. It writes itself to the end of EXE files and the COMMAND.COM file. Then an infected EXE file is executed, the virus infects C:COMMAND.COM and C:DOSCOMMAND.COM files, if they exist. Then the virus returns the control to host EXE program. The virus does not warry about internal COMMAND.COM format and corrupts that file, if it has EXE internal format (Win95 COMMAND.COM). When an infected COMMAND.COM is executed, the virus hooks INT 21h, stays memory resident and infects EXE files that are executed. The virus leaves in memory just a half of its code – about 2.8Kb, while infecting a file the virus reads its complete code from the C:COMMAND.COM file, and then writes this code to EXE files. The virus checks the file names and does not infect the files from the string (four bytes per name – 3P.E, AHEL., ALIK., APPE.* and so on): 3P.EAHELALIKAPPEASTAATTRAVASAVG.AZORBINOBOOTBUILCHKDCLEADEFRDFA.DISK DOSXDPMIDRVSDSWAEMM3EXE.EXEMEXPAF-PRFASTFC.EFDISFINDGPEGGUARHIEWINI. INSTINTEKERNKRNLLABELGUAMAKEMANDMEMMMOVEMSBAMSCDMSD.MWBANAV.NLSFPAST PCC.POWEREX.REPLRESTRTM.SCANSETVSHARSHIESMARSORTSUBSTB.ETEMCTRAPTSAF UCOMUEXEUNDEVCOPVGUAVIRSVIRTVIRUVIVEVS.EVSHIWIN.WINSWSWAXCOP Starting from July 1997 the virus displays the message and halts the computer: TAKE CONTROL of yor mind, your body and your soul !!! (I’m taking control of your machine – he, he, he …!) Replace your C:COMMAND.COM and C:DOSCOMMAND.COM and it’ll be O.K. … forever! Zdar Grisofte, McAfee nebo jiny pocitacovy maniaku, jenz tento virus pitvas. * Gratuluju * >>> Konecne jsi me dekodoval a dostal se az sem. <<< At zije D.J.BOBO a jeho TAKE CONTROL!!! --- Virus napsany specialne na podporu antivirovych firem. --- ### Preji ti uspesny boj se vsemi moznymi viry, jako je tento. ### Grisofte, vase AVG je fakt dobry, ale ve verzi 4.0 pro Windows je dost chyb. No nic, puvodni CS:IP u EXE nebo prvni tri byty u COMMANDu jsou tady --->
	Find out the statistics of the threats spreading in your region

Virus.DOS.TakeControl

Technical Details