Name: Kustanai.207 Category: Viruses Description: Details Kustanai.2071 It is not a dangerous memory resident encrypted parasitic virus. It infects COM and EXE files. While infecting the virus encrypts and writes its code to the end of file, then writes decryption routine to the middle of file at random selected address, then modifies file header. The virus intercepts LOGIN utility execution and stores all keystrokes that are entered during LOGIN's run (to do that the virus uses INT 9 hook). While infecting next files the virus writes to the file's end these keystrokes as well as its actual code. As a result the virus a) is able "to steal" network passwords; b) increases file length by VirusLength (2071 bytes) plus keystrokes buffer length (up to 255 bytes). When an infected file is executed, the virus hooks INT 9, 21h and stays memory resident. By hooking INT 21h the virus runs its infection routine: it affects files that are executed, opened, renamed or created. When anti-virus programs AIDSTEST, ADINF, DRWEB, SCAN are executed, the virus temporary disables infection of file opening, but infects files when they are closed. On 10th of any month the virus displays the message: This is Kustanai-Login. Is devoted Kuzmina Olya. TVA-96 me 16!