Details Alar.4270 This is a very dangerous memory resident multipartite polymorphic and stealth virus. It writes itself to the end of COM and EXE files and to the MBR of the hard drive. When an infected file is executed, the virus infects the MBR of the hard drive. Then it hooks interrupt vectors (as well as while loading from infected MBR) and stays memory resident. Because of an error the virus corrupts the hard drive that have less than 18 sectors per track while infecting them. The virus infects the files that are executed or closed and disinfects the infected files that are opened. The virus hooks INT 21h for file infection and stealth, INT 13h for disk stealth and to hook INT 21h while loading from infected disk, INT 17h to change some data that are printed, INT 1Ch for a video effect (the virus “shakes” the screen). While infecting the MBR the viruses temporary hook INT 10h, 16h (video and keyboard) to fool internal BIOS anti-virus protection. The virus intercept command line commands and when the “stop creeping” text is entered, the virus disable their infection and stealth routines. When the “tell me your version” text is entered, the viruses display: Alar Abaddon virus. Version 1.2 (peaceful) Created by Gall.. A….. (C) 05/29/97 When the “do it right now” text is entered, the virus erase the CMOS. The virus checks the CRC of their INT 21h handlers’ code, and if this code is modified (TSR part of the virus is disinfected), the viruses display a message in Russian and halt the computer. Being executed under minor DOS versions the virus displays the message and returns to DOS: Invalid parameter missing

Leave a Reply

Your email address will not be published. Required fields are marked *