Name: Antiwin_II, famil Category: Viruses Description: Details Antiwin_II, family These are dangerous memory resident parasitic encrypted viruses. They trace INT 21h, hook INT 9, 21h, 2Fh and write themselves to the end of .EXE files that are executed. The viruses check the file names and do not infect several anti-virus and utilities according to the following string (four bytes per name): DRWEAIDSMSCAANTIAVP WEB SCANMSAVVSAFGUARADINKRNLDOSXWSWADSWAWIN3 The viruses use on-the-fly encryption/decryption by hooking INT 1 (tracing), so their code is encrypted in the memory as well as in the files. The viruses have bugs and in some cases halt the computer while infecting files. In some cases the viruses change the symbols that are entered (INT 9). On Windows initialization call INT 2Fh AX=1605h the viruses depending on the system time display the message and halt the computer: Use registered copies of MS Windows The viruses also contain the text: Greetings from MrStrange, Kiev T.G.Shevchenko University >Antiwin<, (c) by MrStrange. The master copy of these viruses also contain the text: MrStrange hails you from Kiev! My first virus