This is a memory resident EXE infector attacking also the file COMMAND.COM. It contains several simple tricks; their goal is to make the analysis of the virus more intricate. The virus attacks files when they are executed. It avoids a large number of programs with first 4 letters of their file names contained in the following string:

3P.EAHELALIKAPPEASTAATTRAVASAVG.AZORBINOBOOTBUILCHKDCLEADEFRDFA.DISKDOSXDPMIDRVSDSWAEMM3EXE.EXEMEXPAF-PRFASTFC.EFDISFINDGPEGGUARHIEWINI.INSTINTEKERNKRNLLABELGUAMAKEMANDMEMMMOVEMSBAMSCDMSD.MWBANAV.NLSFPAST PCC.POWEREX.REPLRESTRTM.SCANSETVSHARSHIESMARSORTSUBSTB.ETEMCTRAPTSAFUCOMUEX EUNDEVCOPVGUAVIRSVIRTVIRUVIVEVS.EVSHIWIN.WINSWSWAXCOP

When executed from an infected EXE file the virus infects COMMAND.COM. When executed from an infected COMMAND.COM it attacks suitable EXE files recognized by the extension. Upon its first activation the virus tests the date. If the year is higher than 1997 and the day in the month is at least the 8th in sequence the virus writes the following text:

TAKE CONTROL of yor mind, your body and your soul !!!
(I'm taking control of your machine - he, he, he ...!)

Then the virus waits until any 64 keys are pressed and writes the following text:

Replace your C:\COMMAND.COM and C:\DOS\COMMAND.COM and it'll be O.K. ... forever!

Finally the virus ends in an eternal cycle. Besides the above mentioned texts it contains also other text strings:

Zdar Grisofte, McAfee nebo jiny pocitacovy maniaku, jenz tento virus pitvas. *** Gratuluju *** >>> Konecne jsi me dekodoval a dostal se az sem. <<< At zije D.J.BOBO a jeho TAKE CONTROL!!! --- Virus napsany specialne na podporu antivirovych firem. --- ### Preji ti uspesny boj se vsemi moznymi viry, jako je tento. ### Grisofte, vase AVG je fakt dobry, ale ve verzi 4.0 pro Windows je dost chyb. No nic, puvodni CS:IP u EXE nebo prvni tri byty u COMMANDu jsou tady --->

(Translation: Hi, Grisoft, McAfee or any other computer maniac trying to dissect this virus. *** Congratulation *** >>> Finally you have decoded me and made your way up here. <<< Long live D.J.BOBO and his TAKE CONTROL!!! --- The virus written especially for support of anti-virus companies. --- ### I wish you a successful fight against all possible viruses like this one. ### Grisoft, your AVG is really good, but in the version 4.0 for Windows are many errors. Never mind, the original CS:IP at EXE or the first three bytes at COMMAND are here --->)

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.