Name: Int1 Category: Viruses Description: Details Int13 It is a very dangerous memory resident parasitic stealth virus. It hooks INT 13h, 21h and writes itself to the beginning of COM files that are accessed with FindNext DOS function. The virus uses quite exotic methods of infection that might result in computer failure and lost of files. While infecting the virus moves 512 bytes of the file beginning to the file end, writes itself to the beginning of the file, and exits infection without increasing the file length. As a result the original header of the file is out of the file's body, but the file is not corrupted. To fix that problem the virus stores the physical (INT 13h) address of the sector that contains the original file header, and then while reading from the disk (INT 13h) the virus "shows" the sector with not infected file header instead of the real one. This is stealth algorithm at INT 13h level. So, DOS loads infected files as not infected ones when the system is infected with that virus. To get the address of original file header the virus writes it to the end of the file by INT 21h call, DOS receives that call and translates it to INT 13h format, then the virus intercepts that INT 13h call and stores the values of corresponding registers (i.e. address of that sector). While writing to the file the virus also uses INT 13h calls, so has not to handle file attributes, time, and write-protect error (INT 24h). The virus contains the string: Int 13