Details 8ball.a It is not a dangerous memory resident multipartite virus. While executing an infected file the virus copies itself into HMA, hooks INT 40h, and then overwrites boot sectors of the floppy disks. While loading from an infected disk the virus hooks INT 1Ah, waits for DOS loading, and hooks INT 21h. On first call to INT 21h the virus creates on C: drive the file with a random selected name, and writes the virus copy to that file. Then the virus adds the string: INSTALL=C: to the end of the C:\CONFIG.SYS file. As a result while loading from infected C: drive the virus receives the control in the infected file. After infection the virus restores INT 21h (removes itself from the memory). The virus uses anti-debugging tricks, performs some commands with keyboard ports, contains the text strings: PK INSTALL=C:c:\config.sys 8_Ball -=Q=-

Leave a Reply

Your email address will not be published. Required fields are marked *