Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Virus

Viruses replicate on the resources of the local machine. Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example: when infecting accessible disks, a virus penetrates a file located on a network resource a virus copies itself to a removable storage device or infects a file on a removable device a user sends an email with an infected attachment.

Read more

Platform: Multi

No platform description


Technical Details

It is a very dangerous memory resident multipartite stealth virus. It writes itself to the MBR of the hard drive, to boot sectors of floppy disks and overwrites EXE files on floppy disks. While executing an infected EXE file the virus infects the MBR, decrypts and displays the message and then returns to DOS. The message is:

Out of memory.

While loading from infected disk (HD or floppy) the virus hooks INT 13h, stays memory resident and infects disks and files.

Under debugger and on Pentium computers the virus displays the message:

Vecna Live ...

The virus has quite a serious bug - it may continue INT 13h flow with wrong AX register. That may cause damage for disks, including disk formatting.


It is not a dangerous memory resident stealth multipartite virus. It hooks INT 21h and writes itself to the end of COM files that are executed. The virus writes itself to the MBR sector when an infected COM file is started, it then returns control back to the host file. On loading from the MBR sector the virus hooks INT 13h that then hides virus code in the MBR sector and hooks INT 21h.


It is a very dangerous memory resident encrypted multipartite virus. It infects .EXE files and boot sector on floppy disks. EXE files get infection in "DirII" virus way. The virus hooks INT 13h, 28h.

In three month after infecting the computer, or under debugger the virus corrupts the CMOS (writes a password?) and displays the message:

Esta � minha vingan�a contra esta sociedade injusta
E eu ainda n|o estou satisfeito
Espere e ver|o...

The virus also contains the text strings:

Written by Vecna/SGWW in Brazil 1997


It is a harmless memory resident boot virus. It hooks INT 1, 8, 13h and writes itself to the MBR of the hard drive and boot sectors of floppy disks. The virus contains the text:

[ORGASMATRON] by Vecna/SGWW in Brazil 1997

To hook INT 13h the virus uses i386 debug registers DR0, DR6 and DR7. By using these registers it sets break point on BIOS INT 13h handler. When this handler takes control the processor generates INT 1, and control is passed to virus INT 1 handler. The virus disables debug break point, checks registers and calls its infection and stealth routines in case of need and then returns to original BIOS INT 13h handler. To reset break point and to keep INT 1 hook the virus uses INT 8 hook (timer).

Read more

Find out the statistics of the vulnerabilities spreading in your region on

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.