Virus.DOS.Voronezh

Detect Date 01/11/2002
Class Virus
Platform DOS
Description

Voronezh.370 and 600

These are memory-resident, harmless parasitic viruses. “Voronezh.600” is partly encrypted (50 bytes, XOR DDh). They hook INT 21h, and write themselves to the beginning of .COM files that are executed. “Voronezh.370”

does not infect COMMAND.COM. While infecting a file, these viruses also encrypt a part of the original file code (XOR BBh).

The viruses do not manifest themselves in any way, and have no destructive functions. “Voronezh.600” contains the encrypted (XOR 1Ah) text:

Oleynikoz S.,1990

Voronezh.650

This is a harmless, memory resident parasitic virus. It hooks INT 21h, and infects COM files that are executed in the same way as the “Voronezh.600” virus does. Upon being executed, the virus, with probability of 1/60, displays the following message:

Video mode 80×25 not supported

The virus also contains the following text written in Russian: “16.01.91, v1.00, ????? ? ???? (Chemist &

Elephant.)

Voronezh.1600

This is a dangerous, memory -esident virus. It hooks INT 21h, and infects files that are executed or opened. COM files are infected in the same way as “Voronezh.600” infects files.

EXE files are infected according to quite a complex algorithm. The virus overwrites five bytes of a file’s entry point with Jmp-Virus instruction (CALL FAR Loc_Virus), and does not modify the CS:IP fields in EXE header. To fix relocated addresses, the virus reads and pathces an EXE-relocation table, and includes one more element to this table.

The virus has some errors: it does not analyze more than 640 elements of the relocation table; when the modified element of the relocation table points to the 5th byte of the entry, this is not supported (i.e., the word, being adjusted upon file loading, is situated on the border of the 5 bytes being modified). As such, if a file is run, the computer might halt the system.