FANDOM


Virus.Multi.CriCri is a memory resident multipartite polymorphic stealth encrypted virus on DOS, written by Griyo from 29A.

There are 6 variants:

  • Virus.Multi.CriCri.4289
  • Virus.Multi.CriCri.4300
  • Virus.Multi.CriCri.4335
  • Virus.Multi.CriCri.4616
  • Virus.Multi.CriCri.4690
  • Virus.Multi.CriCri.5595

BehaviorEdit

When the virus is loaded into memory, it first infects C:\COMMAND.COM, followed by hooking INT 13h and 21h to infect any executable file by writing itself to the end of the file. It also infects the boot sector of floppy disks that are accessed.

The virus behaves stealthy so that there would have no observable size change on infected files.

The virus might not perform infection on every program execution, and it does not infect files containing digits or the following strings in their filename:

V TB SC F- GU

Additionally, the virus has bugs that may corrupt the files during infection.

CriCri.4335 and 5595 are the cracked versions, they contain even more bugs that the former one cannot infect any file while the later one fails to load into memory and hang the system.

Advanced detailsEdit

The TSR memory usage of the variants:

Variant Memory usage in bytes
CriCri.4289 8,608
CriCri.4300 8,624
CriCri.4335 8,688
CriCri.4616 9,248
CriCri.4690 9,408
CriCri.5595 ?

MD5 hashes:

Variant Hash
CriCri.4289 d6f99976388a30a878613a37454dbfe2
CriCri.4300 6b7b05d341466c23014ffa20096e58d8
CriCri.4335 c0e307c5d415290f5c193414db081293
CriCri.4616 ce45700d332784102d0495dffb1444a2
CriCri.4690 bd909dc1157b00fa721afdada76a02c7
CriCri.5595 3079fab57c7f365f6751ad225e17ee55

PayloadEdit

When the infected system is loaded or an infected program is run on the Payload day, the virus displays a green message at the center of the screen and hangs the system.

CriCri.4289, 4300, 4616 and 4690Edit

These variants activate on June 4th.

CriCri.4289 and 4300:

Cri-Cri ViRuS by Griyo/29A ...Tried, tested, not approved.

CriCri.4616 and 4690:

Cri-Cri ViRuS by Griyo96 ...Tried, tested, not approved.

CriCri.4335 and 5595Edit

These variants activate on February 3rd, they display the following instead:

Yulgok Virus 2!! Yulgok middle school Virus.. Viructive in

Due to the display size limit set in the code that the creator did not notice, the whole message is:

Yulgok Virus 2!! Yulgok middle school Virus.. Viructive in Kangreung! Yulgok virus Version 1.5

Other detailsEdit

In fact, this virus avoids most of the files in DOS system directory.

The Implant virus is related to the CriCri family.

ReferencesEdit

  1. List of variants of the CriCri virus on VX Heaven

VideosEdit

Virus.Multi02:42

Virus.Multi.CriCri

CriCri virus review by Alles Sandro

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.