russian elevation


There is no simple hex string in this virus that is common to all infected samples. It also has not to viable as infected programs will hang when they are executed, with the exception of the Runme.

exe file which the author received.exe file was probably the original release file distributed by the virus's author. the first isolated samples of this virus were received from bulgaria, where it is thought to have originated.exe, and overlay files, as well as command. when the first infected file is executed, the virus installs itself memory resident, and then infected command.com if it has not already been infected. then, when an executable file is openned for any reason, it is infected if it hasn't been previously infected.
increased file lengths will not be shown if the v2000 virus is present in memory when a dir command is issued. issuing a chkdsk /f command on infected systems may result in crosslinking of files since the directory information may not appear to match the entries in the file allocation table (fat). systems infected with the v2000 virus will experience unexpected system crashes, resulting in lost data. some systems may also become unbootable due to the modification of command." and the encryption used by the virus is different. it is a resident generic infector of . this virus appears to have been originally released into the public domain on an anti-viral program named uscan which was uploaded to several bbses in europe.
while not all copies of uscan are carriers of this virus, there was one version which exists that has the virus embedded in its program code. the virus cannot be detected on this trojan version using search algorithms for this virus. the first time a program infected with v2100 is executed, the virus will install itself memory resident above top of memory but below the 640k boundary.com though the change in file length will be hidden by the virus. once the virus is memory resident, it will infect any .exe, or overlay file with a file length of at least 2100 bytes that is executed or openned for any reason. the simple act of copying an executable file will result in both the source and target files becoming infected.
infected files will be 2,100 bytes longer, though the virus will hide the change in file length so that it isn't noticeable when directories are listed. in some cases, infected files will appear to be 2,100 bytes smaller than expected if the virus is present in memory. systems infected with the v2100 virus will notice file allocation errors occurring, along with crosslinking of files. due to these errors, some files may become corrupted. these file allocation errors are truely errors, they exist whether or not the virus is present in memory. there are at least 48 variants of the vacsina virus, also known as the tp virus family, though not all of them have been isolated. later versions of this virus are included in this listing under the name "yankee doodle". generally, the vacsina virus infects both .exe file, will first convert it into .com format by changing the mz or zm identifier in the first two bytes of the file to a jmp instruction and then adding a small piece of relocator code, so that the .
exe file can be infected as though it were originally a . one sign of a vacsina infection is that programs which have been infected may "beep" when executed. infected programs will also have their date/time in the disk directory changed to the date and time they were infected.exe files, changing them internally into . infected programs may beep when executed, and may be identified by searching for the text string "vacsina" along with the second byte from the end of the file containing a 04h. this version of vacsina is a poor replicator, and while it will always convert a .
system hangs may also be experienced. the text "vacsina" no longer appears in the virus. when an infected file is run, the virus will attempt to infect one . it will also infect the memory resident version of the system's command interpreter. the memory resident portion of the virus intercepts any disk writes that are attempted, and changes them into disk reads. there are currently four identified variants to the vhp virus, with the vhp-435 variant being the one with the most potential for spreading. these viruses were originally based on the vienna virus. the progression of the variants shows each variant to be a slightly better replicator.
this variant is still buggy, and it will occasionally hang systems when attempting to find a . very rarely, this virus will reinfect an infected .com file when an infected program is executed, it will sometimes not infect any .com file, though it has in effect immunized the file from infection. this effect is probably a bug in this variant.com files on the current drive and directory, it will attempt to infect drive c:. this virus is based on vienna virus, and has many of same characteristics of vhp-435 variant of vhp virus. it's major difference is every 8 infected programs will perform a warm reboot of length.0 the incredible high performance virus enhanced versions available soon. this program was imported from ussr.
the first time a infected with victor virus is , the virus will install itself memory resident, occuping 3,072 bytes at top of memory. interrupt 21 will be by the virus. after becoming memory resident, victor will then seek out and infect command. victor is slow file infector, only infected approximately 1 in 10 programs executed after it becomes memory resident.. ..
russian elevation
russian elevation