Fandom

Malware Wiki

Alicia

1,328pages on
this wiki
Add New Page
Comments0 Share

Virus.DOS.Alicia or Alicia is a virus that runs on MS-DOS.

This virus has 11 variants:

  • Virus.DOS.Alicia.Ace
  • Virus.DOS.Alicia.Arj
  • Virus.DOS.Alicia.Ha
  • Virus.DOS.Alicia.Lzh
  • Virus.DOS.Alicia.Rar
  • Virus.DOS.Alicia.Zip
  • Virus.DOS.Alicia.Zoo
  • Virus.DOS.Alicia.a
  • Virus.DOS.Alicia.b
  • Virus.DOS.Alicia.c
  • Virus.DOS.Alicia.d

BehaviorEdit

Virus.DOS.Alicia.aEdit

It is a dangerous memory resident polymorphic parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files. While hooking INT 21h the virus patches the original INT 21h handler with the Jmp_Virus instruction. The virus then infects files that are found while searching for files in disk directories (DOS functions FindFirst/Next).

The virus also affects archives and adds to them its infected dropper - a dummy program infected by the virus. The name of dropper is selected randomly like listed below, all these names are real ones that were detected on replicating the virus on test PC:

HDBK.COM, HDNK.COM, HDDK.COM, HDOK.COM, HDPK.COM, KDHD.COM

The virus detects archive files by using filename extensions. The list of accessed extensions looks like follows: ZIP, ARJ, RAR, ACE, HA, ARC, PAK, LZH, LHA, ZOO. While infecting archives the virus parses their internal formats, creates new record and writes infected dropper to there. The virus supports eight archive formats: ZIP, ARJ, RAR, ACE, HA, PAK/ARC, LZH/LHA, ZOO (PAK/ARC and LZH/LHA use the same archive formats).

On May 24, or on executing and infected dropper the virus displays letter-by-letter the followed string, all letters are enlarged while displaying:

A l i c i a #  Version Gamma 0 . 1 # by Star0 I K X  In honor of B0z0 ikx

VideosEdit

No videos available.

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.