Virus.Multi.Ignorance

Class Virus
Platform Multi
Description

Technical Details


It is a harmless memory resident multipartite encrypted virus. While
loading from an infected floppy disk or MBR it hooks INT 13h, waits for DOS
loading and then it hooks INT 21h. While executing an infected file the
virus infects the MBR of the hard drive, then hooks INT 13h and 21h. By
hooking INT 13h it realizes stealth algorithm on reading the
infected MBR, it also uses INT 13h for floppy boot sectors infection. By
hooking INT 21h it writes itself to the end of COM, EXE and SYS files that
are accessed. The virus contains the text strings:


Ignorance is Strength
Freedom is Slavery
War is Peace
COMEXEBINOVLSYSSCCLVSF-
[1984] bY [T�L�N< >N�K_] ’93! THiS iZ iNFeCTi0N #00000032!
Greetz RS/NuKE!

where “#00000032” is virus generation number, that value may be not the
same in different infected files/sectors. “COMEXESYSBINOVL” is the string
of the file name extensions which are “infectable”. “SCCLVSF-” is the
string of the anti-virus software names (two bytes per name: SCAN.EXE,
CLEAN.EXE, e.t.c.). While executing these files the virus disables some of
its semi-stealth algorithm branches.