Details Arya.4616 This is a very dangerous memory resident encrypted multipartite virus. It infects the MBR of the hard drive, COM and EXE files. When an infected file is executed, the virus infects the MBR of the hard drive, hooks INT 13h and 21h, and stays memory resident. While loading from an infected disk, the virus hooks INT 1Ch and 13h, waits for the DOS loading process, and hooks INT 21h. INT 1Ch handler is used by the virus to hook INT 21h. The INT 13h handler contains a stealth routine that is executed upon accessing the infected MBR. INT 21h contains a file infection routine – the virus writes itself to the middle of COM and EXE files that are accessed. Upon changing the current directory and upon deleting files, the virus also searches for COM and EXE files and infects them. After infecting a file, the virus deletes the CHKLIST.MS file, if it exists. The virus does not infect the following files: CHKDSK.*, COMMAND.COM, EMM386.*, POWER.* INTERLNK.*, MCA.*, MSCDEX.*, SHARE.*, CERT.*, TOOLKIT.*, GUARDMEM.*, GUARD.*, SCAN.*, CLEAN.*, FINDVIRU.*, FV*.*, TB*.*, CLEANPAR.*, CLEANBOO.*, VSAFE.*, MSAV.*, NAV.*, VALIDATE.*, VSHIELD.*, VIVERIFY.*, IMENSCAN.*, TAROMAR.* Depending on the system date, the virus displays the message: Arya V1.0 This is the most Powerfull and Technical Iranian program all Azad University of Lahijan . Sig: – 17FSAK – ( 1996 ) On the 13th beginning from June, the virus overwrites .DBF, .ZIP, .LZH, .GIF, .DAT, PCX and .GN files with the same message. The virus calculates the CRC sum of its code, and if this sum is wrong, the virus erases the CMOS. The virus has bugs and may halt the system.

Leave a Reply

Your email address will not be published. Required fields are marked *