   The virus from the VLAD#4
   
Winsurf
   
   
     _________________________________________________________________
   
   Winsurf is a dangerous memory resident parasitic virus, 1432 bytes in
   length. It infects NEW EXE files only. During infection it modifies
   the NEW EXE tables, and writes itself at the file end.
   
   During execution of the infected program the virus checks the DPMI
   (DOS Protected Mode Interface) by INT 2Fh, AX=1686h function, and
   returns the control to the host file if there is no DPMI, or the file
   has not been executed in protected mode. Then the virus checks the
   system memory for an already installed virus copy by a "Are you here?"
   call (INT 21h, AX=1894h), the memory resident virus copy returns
   CX=1234h. If the system is not infected, the virus scans the
   Environment area for the "windir=" strings, opens and reads the
   SYSTEM.INI file from the directory, which is pointed to by the string
   "windir=", scans the SYSTEM.INI file for the "shell=" string, and
   infects the corresponding file (which is pointed to by the "shell="
   string). Then the virus returns the control to the host program.
   
   The virus stays memory resident during execution of the program which
   is infected by the method described above. Usually the "shell=" string
   points to the Program Manager file (PROGMAN.EXE, DASH.EXE, DASH2.EXE),
   i.e. the program which permanently stays in memory during the Windows
   seance. So the virus may not perform the special tricks to stay memory
   resident. It hooks INT 21h by DPMI calls and returns the control to
   the host program. Then the virus hits the NEW EXE files that are
   executed or loaded into memory (INT 21h, AH=4Bh).
   
   The virus contains the internal text strings which are used during
   infection of the Program Manager:

 hell=indir=system.ini

   The virus contains errors, and in some cases halts the system after
   infection of the files.
   
   
     _________________________________________________________________
   
   &copy; Copyright 1995 Eugene V. Kaspersky
