| Alias: | --- |
| Strain: | ZUC Virus Strain |
| detected when: | June 1991 |
| where: | Italy |
| Classification: | Link virus (most files of type "APPL") |
| Length: | Resource fork extension: 1324 bytes |
Preconditions | |
| Operating System(s): | MacOS proprietary |
| Version/Release: | System 4.1 or greater |
| Computer model(s): | Apple Macintosh: all models |
| Caroname: | ZUC.C |
Attributes | |
| Easy identification: | The last 4 bytes of CODE resource, which is 1st entry in the jump table, are "CO"+$BA+$BB with $BABB = "DE" exclusive or $FFFF. |
Type of Infection: | All files of type "APPL" with a CODE resource of type as described under Resource pattern, with size >32 Bytes and CODE-resource+Virus <32,768 Bytes and a creator different from the following ones: SpDo,XPRS,DFCT,VGDt,VIRy, OMEG,FEVr,PLUS,VICM. |
| Infection Technique: | The size of the first CODE resource in jump table is increased by 1324 bytes. |
| Infection Trigger: | Executing an infected file between August 13, 1990 at 13:13:13 and last infection date stored in virus. This virus has two different infection strategies: 1. With a probabilty of 15/16, virus searches for an unifected application by scanning all accessible Desktop files for resources of type "APPL" and infects first one found. 2. With a proibability of 1/16, virus uses a recursive search to find an uninfected application on all connected volumes (such as AppleShare). Strategy #2 is choosen if the value of the system variable time is a multiple of 16. |
| Storage Media affected: | |
| Interrupts hooked: | Values of traps changed by antivirus programs are noticed by the virus and the traps are patched back to original routines: SetFileInfo, ChangedResource, SetResAttr. After infection peroid: VBL interrupt. |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent damage: --- Transient damage: VBL-routine to bounce cursor whenever the mouse button is pressed. |
| Damage Trigger: | Running an infected file after last infection date stored in virus. |
| Particularities: | The computer will hang if there is no RAM for VBL-task in system heap. |
| Similarities: | ZUC A,B |
Agents | |
| Countermeasures: | 1. Use a commercial anti-viral product or a public domain utility such as Virus Detective, VirusRx, Interferon or Disinfectant (>=2.5) to scan for virus' signature. |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, Germany |
| Classification by: | Ronald Greinke |
| Documentation by: | Ronald Greinke |
| Date: | 15-July-1991 |
| Information Source: | --- |
(c) 1996 Virus-Test-Center, University of Hamburg