Name: Baran.329 Category: Viruses Description: Details Baran.3294 These are memory resident parasitic polymorphic viruses. They hook INT 21h and write themselves to the end of COM and EXE files. "Baran.3294" infects the files that are executed or closed. "Baran.4968" infects the files that are closed (both FCB and Handle calls), executed, To hook the interrupt vectors these viruses use several tricks. The INT 21h handler in "Baran.3294" virus contains just only instruction - call to INT 1 (CDh 01h). That virus also hooks INT 1, and when INT 21h call is performed, the control is passed to INT 1 handler that contains file infection routines. "Baran.4968" traces INT 13h, 21h. To hook INT 21h the virus patches INT 21h handler in the DOS area (the original INT 21h handler) with INT 29h call (CDh 29h), then patches INT 29h handler with FAR JMP_Virus instruction. As a result the virus handler takes both INT 21h and INT 29h calls. To separate them the virus checks the address of caller and either executes the original INT 29h, or passes the control to the virus INT 21h handler. If the virus cannot to hook INT 21h, it infects the command interpreter by using COMSPEC= pointer. If MS Windows is active, the virus also infects the program that will be executed when Windows exits to DOS. "Baran.4968" is the stealth virus. When an infected file is opened (both FCB and Handle calls), loaded as overlay or debugged, the virus disinfect it. This virus also checks the file name and does not infect the files IBMBIO.* and IBMDOS.*. "Baran.3294" is not a dangerous virus. Depending on the system time it displays the message: Gwadera to baran ! "Baran.4968" is a very dangerous virus. Depending on its internal counter it corrupts the data that are saved on disk. It contains the text: Unknown destroyer v1