Fandom

Malware Wiki

Prizm

1,328pages on
this wiki
Add New Page
Comments0 Share

Virus.Win9x.Prizm.4428 is a very dangerous memory resident parasitic polymorphic virus on Microsoft Windows.

BehaviorEdit

The virus infects Win32 PE EXE files with and also DLL files. The virus resident copy infects files that are accessed by Windows (opened or run). When run from an infected file, the virus also looks for applications that are run, obtains their file names, and tries to infect them as well.

While infecting, the virus writes itself to the end of a file, and modifies the entry point routine address and necessary PE header fields. The virus also writes a string to a field in the PE header for identity:

SpAm

To stay memory resident, the virus switches to Windows kernel mode (Ring3->Ring0), allocates a block of system memory, and copies itself there. The virus then hooks a DOS interrupt INT 21h chain, IFS API calls and system broadcast messages.

An INT 21h hook is used by the virus only for the "Are you here?" call to detect its already active memory resident copy, and to avoid double installation. An IFS hook routine intercepts file-opening system calls, and infects Win32 EXE and DLL files that are being opened.

The broadcast-message hooker detects whether a CD drive gets a new disk. In this case, the virus tries to perform a "write data" command to an inserted disk. It seems the virus intends to destroy disks on CD-writers, but this routine seems to have a bug, and CD disks should not be destroyed.

PayloadEdit

On the 1st, 11th, 13th, and 26th of each month upon each infected program run, the virus erases a randomly selected sector on each logical drive (overwrites it with virus code), and displays a Blue Screen of Death message:

Virus Win9x.Chazhma(Chernobil2)

Made by SpAmC0der->[PRiZM]->Vladivostok->Russia

Battle of life. Capital!!!
to be continued... Win32.Kursk2000

Press any key to continue

VideosEdit

Virus.Win9x.Prizm01:56

Virus.Win9x.Prizm.4428

Virus.Win9x04:49

Virus.Win9x.Prizm

Prizm virus review by danooct1

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.