AAV is a memory resident parasitic virus. It hooks INT 10h, 13h, 16h, 21h and stays memory resident.
When any file is executed, or on DOS GetDiskSpace call, or in its INT 10h handler, if the system is not busy, the virus searches for .COM and .EXE files and writes itself to the end of the file.
The virus pays special attention for C:\COMMAND.COM file and infects it in the way similar to the "Peasant" virus - it overwrites the beginning of the COMMAND.COM with 512 bytes of virus loader and saves the original COMMAND.COM's header and the rest of the virus code to the not used sectors of the first track on the hard drive.
When infected COMMAND.COM is executed, virus loader reads the rest of the virus code from the hard drive, stays memory resident, then restores the original beginning of COMMAND.COM and returns control.
This way of infection may corrupt the data and the files. The virus may also halt the system while loading memory resident - it uses quite complex way of interrupts hooking/releasing and may corrupt DOS kernel.
Depending on the system time, date and several other conditions the virus displays the messages in Chinese and in English:
THIS FILE MAY BE INFECTED WITH VIRUS TO KILL VIRUS,YOU CAN REINSTALL THIS FILE IDEARS AUTO_ANTI_VIRUS SOFTWARE GROUP AAV MARK:4540055520 AUTO_ANTI_VIRUS THIS FILE IS SAFE THANKS FOR USE AAV IDEARS AUTO_ANTI_VIRUS SOFTWARE GROUP AAV MARK:4540055520
No images or videos available