Virus.Multi.Vecna

Class Virus
Platform Multi
Description

Technical Details

It is a very dangerous memory resident multipartite stealth
virus. It writes itself to the MBR of the hard drive, to boot sectors of
floppy disks and overwrites EXE files on floppy disks. While executing an
infected EXE file the virus infects the MBR, decrypts and displays the
message and then returns to DOS. The message is:


Out of memory.

While loading from infected disk (HD or floppy) the virus hooks INT 13h,
stays memory resident and infects disks and files.

Under debugger and on Pentium computers the virus displays the message:


Vecna Live …

The virus has quite a serious bug – it may continue INT 13h flow with wrong
AX register. That may cause damage for disks, including disk formatting.

Vecna.313

It is not a dangerous memory resident stealth multipartite virus. It hooks INT 21h and writes itself to the end of COM files that are
executed. The virus writes itself to the MBR sector when an infected COM
file is started, it then returns control back to the host file. On loading
from the MBR sector the virus hooks INT 13h that then hides virus code in
the MBR sector and hooks INT 21h.

Vecna.Outsider

It is a very dangerous memory resident encrypted multipartite virus. It
infects .EXE files and boot sector on floppy disks. EXE files get infection
in “DirII” virus way. The virus hooks INT 13h, 28h.

In three month after infecting the computer, or under debugger the virus
corrupts the CMOS (writes a password?) and displays the message:


[OUTSIDER]
Esta � minha vingan�a contra esta sociedade injusta
E eu ainda n|o estou satisfeito
Espere e ver|o…

The virus also contains the text strings:


Written by Vecna/SGWW in Brazil 1997

Vecna.Tron

It is a harmless memory resident boot virus. It hooks INT 1, 8, 13h and
writes itself to the MBR of the hard drive and boot sectors of floppy
disks. The virus contains the text:


[ORGASMATRON] by Vecna/SGWW in Brazil 1997

To hook INT 13h the virus uses i386 debug registers DR0, DR6 and DR7. By
using these registers it sets break point on BIOS INT 13h handler. When
this handler takes control the processor generates INT 1, and control is
passed to virus INT 1 handler. The virus disables debug break point, checks
registers and calls its infection and stealth routines in case of need and
then returns to original BIOS INT 13h handler. To reset break point and to
keep INT 1 hook the virus uses INT 8 hook (timer).