 Virus index
 ДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДД>
                                                            Mister Sandman

 Zhengxi.7313
 ДДДДДДДДДДДД
 Author    : Unknown (well, hehe... ;)
 Origin    : Russia
 Objectives: EXE (standard, Pascal/C, SFX), OBJ and  LIB. Besides, Zhengxi
             inserts  COM droppers into ZIP, ARJ, RAR and HA archives with
             the stored method
 Hooks     : int 21h  and int 25h, with  redirection and UMB residency; it
             doesn't go resident under certain conditions
 Behaviour : full stealth, highly polymorphic (encrypted with two polymor-
             phic loops), uses a CRC32 generator for every data comparison
             it makes. It has a trigger  routine, with deletes all the fi-
             les of all the  drives under certain conditions. This is pro-
             bably the best virus ever.


 V.6000
 ДДДДДД
 Author    : Unknown
 Disasm by : Tcp/29A
 Origin    : Unknown
 Objectives: EXE, COM, MBR and boot sectors (multipartite)
 Hooks     : int 8, 13h, 17h, 1ch, 20h, 21h, 25h, 26h, 27h
 Behaviour : under certain conditions, depending on some internal counters
             and on  the way it's being executed (under debugger), it era-
             ses the CMOS and the hard drive sectors. It also stays memory
             resident  after any kind of reboot thanks to this trick: when
             it infects MBR, it stores the  drives info from the CMOS, and
             then  sets these values to zero. When it detects any disk ac-
             ccess, it restores  the original CMOS on the fly, so the user
             can't remark  any change. If the user tries to do any kind of
             boot, as the CMOS values are set to zero, the MBR will recei-
             ve  the control, and it will restore these values, making po-
             ssible to boot from the floppy drive as usual. Polymorphic :)


 TS.1423
 ДДДДДДД
 Author    : Unknown
 Disasm by : Tcp/29A
 Origin    : Spain
 Objectives: COM and EXE files (infects on file closing)
 Hooks     : int 13h, int 21h
 Behaviour : its encryption routine  is based  on tracing  code via int 1,
             fully  antidebugging. It doesn't infect *AN.*. If the year is
             above 1995, it  will mark clusters as bad, and on fridays, it
             will change disks writes to verifications. UMB residency.


 Remolino.968
 ДДДДДДДДДДДД
 Author    : Trumpet WinCock
 Origin    : Spain
 Objectives: COM and EXE files
 Hooks     : int 21h
 Behaviour : a new  infection  way... neither  overwriting, nor appending,
             nor  prepending, nor ap-pre-pending... guest :) It looks  for
             some unused  code in their victims big enough to hold the vi-
             ral code, and if there's enough room for it, it copies itself
             there  without doing  any change in the file length. It has a
             payload which displays a whirlscreen effect, which became ra-
             ther famous (it was even used by NuKE in their zines).


 Torero
 ДДДДДД
 Author    : Mister Sandman/29A
 Origin    : Spain
 Objectives: COM files
 Hooks     : int 13h, int 21h
 Behaviour : it has two peculiarities: first, it  doesn't store the origi-
             nal header of the  files it infects into its body, but into a
             newly  discovered (by AVV and me) zone  of ten free bytes, in
             the directory  entry of the file. And second, it uses the 8th
             attribute  bit as infection mark, making the infection checks
             much more simple, reliable and antiheuristic.


 Internal Overlay
 ДДДДДДДДДДДДДДДД
 Author    : Tcp/29A
 Origin    : Spain
 Objectives: COM and EXE files
 Hooks     : int 21h
 Behaviour : it infects COM and EXE files without modifying their headers,
             bypassing lots of CRC security  programs which just check the
             file header. It does this by appending an internal overlay to
             the file and writing an overlay loader at the entry point. It
             infects, then, EXE files  with internal  overlays, but NOT if
             any  of the relocation items is  located in  the entry point,
             unless this item  is found at offset 7 (it would be a PkLited
             file) ;)


 Cri-Cri
 ДДДДДДД
 Author    : Griyo/29A
 Origin    : Spain
 Objectives: COM, EXE and floppy drives (multipartite)
 Hooks     : int 3, 13h, 21h
 Behaviour : full stealth, as it redirects  reads to  infected sectors and
             files to  the original ones, highly polymorphic, it won't in-
             fect files  with  any V in their  name, files with the actual
             day  date, and  some  AV executables. It has  a payload which
             display a message on the screen.


 TheBugger
 ДДДДДДДДД
 Author    : The Slug/29A
 Origin    : Spain
 Objectives: COM files
 Hooks     : int 1, 3, 21h, 0cdh, with redirection
 Behaviour : its peculiarity consists in  that it gets a random number be-
             tween 2 and 5 (x) and starts tracing its victim until it rea-
             ches the  call  number 'x' :) and  then infects that call. It
             uses a new tunneling routine based on an old one (the int 30h
             trick), bypassing  the AH < 24 limit and finding the original
             int 21h vector address. Besides, it uses an antilamer install
             check which detects if the  user is trying to deceive it with
             one of those  lame programs which just return the virus resi-
             dency value so the virus doesn't go resident again... TheBug-
             ger avoids this by doing a  random byte comparison, and if it
             detects that the user is trying to deceive it, executes a si-
             mulated HD formatting routine and displays a message.


 Apocalyptic
 ДДДДДДДДДДД
 Author    : Wintermute/29A
 Origin    : Spain
 Objectives: COM and EXE files
 Hooks     : int 3 and int 21h, with redirection
 Behaviour : it's a stealth COM and EXE infector  which  disables TbDriver
             on every execution; it skips F-Prot's stealth detection engi-
             ne, and if  the  system  date is  equal to july 26th, it will
             show all the files in with 29Ah as length.


 AVP-Aids
 ДДДДДДДД
 Author    : Tcp/29A
 Origin    : Spain
 Objectives: COM files
 Hooks     : nothing, it's a runtime infector
 Behaviour : AVP-Aids proves the capabilities to write  and spread viruses
             using  AVPRO's API functions. It inserts a new viral database
             into AVP; this database  will make AVP to delete F-Prot, Scan
             and TbScan when  being scanned. Besides, AVP won't detect any
             virus, favouring the appeareance of opportunist infections by
             other viruses.


 AntiCARO
 ДДДДДДДД
 Author    : Mister Sandman/29A
 Origin    : Spain
 Objectives: COM files
 Hooks     : int 21h
 Behaviour : it's just a 'joke' virus to protest against Vesselin Bontchev
             and the way in which CARO and this sucka name the viruses. As
             AVP is Bontchev's favourite AV, AntiCARO will modify it so it
             (AVP) will  detect VLAD's Bizatch  as 'Bizatch_:P' and not as
             Boza. About the  virus itself, it's just  a TSR COM  infector
             which uses SFTs for performing its infection routines.


 Galicia Kalidade
 ДДДДДДДДДДДДДДДД
 Author    : Leugim San/29A
 Origin    : Spain
 Objectives: WinWord documents
 Behaviour : it's an encrypted macro infector which hits documents on clo-
             sing. Besides, it has two peculiarities: it's the tiniest ma-
             cro infector ever, and  it contains  a trigger routine; if it
             finds the text chain 'dir a:' in any document, it will delete
             MSDOS.SYS and IO.SYS, and then display a message box.


 Mister Sandman,
 bring me a dream.