| Alias: | Zharinov |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | Master-boot record (HD) infector, DBR (Floppy)- infector, re |
| Length: | 121 |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | All models |
| Computer model(s): | PC's |
| Caroname: | MISiS |
Attributes | |
| Easy identification: | |
Type of Infection: | Bootsector infection. Selfrec on disk: PDisk[0/0/1][0,1] = 0C933H { first two bytes ofMBR or BOOT } |
| Infection Technique: | |
| Infection Trigger: | Boot from an infected floppy (HARD),INT 13 and AH=02 and CX=1 and DH=0 and DL<80h (FLOPPY) |
| Storage Media affected: | Harddisks, Disketts |
| Interrupts hooked: | 13/02 |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | - |
| Encoding Method: | |
| Damage: | Transient: Displays colored text strings in Russian,waits for a keystroke. Permanent: - |
| Damage Trigger: | Transient: INT 13 and AH=02 and CX=1 and DH=00 and DL<=81h andBYTE PTR [0:46C]=0 and VideoMode<=7{ MBR or floppy Boot sector is being read andBIOS ticks low byte is 0 } Permanent: - |
| Particularities: | The virus resides in the interrupt vector table. The virus resides at the memory address: 0020:0053 The virus uses a special coding style to fool most disassemblers. Displayed text: { they are in cyrillics } The virus is interesting since unlike other MBR/BOOTinfectors, it keeps resident only a part of its code.The rest of the code is read from an infected MBRwhen necessary (to infect a floppy). |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Dmitry O. Gryaznov |
| Documentation by: | Dmitry O. Gryaznov |
| Date: | 1993-12-22 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg