| Alias: | Greek Virus |
| Strain: | |
| detected when: | Mai 1990 |
| where: | Greece |
| Classification: | Programm/Link (COM) virus |
| Length: | 1079 Bytes |
Preconditions | |
| Operating System(s): | MSDOS |
| Version/Release: | |
| Computer model(s): | IBM-PC, XT, AT and upwards, and compatibles |
| Caroname: | Armagedon |
Attributes | |
| Easy identification: | Text in virus body: "Armagedon the GREEK" |
Type of Infection: | Infects COM files only (Int 21h function 4Bh) by prepending the virus before COM file. |
| Infection Technique: | |
| Infection Trigger: | Load and execute File by Subfuction 4Bh of Int21h |
| Storage Media affected: | diskettes, hard disk |
| Interrupts hooked: | Int 21h DOS-Services: - function 4Bh changed for infection; - function E0h, returns DADAh; - function E1h, returns the Int21h-Segment; Int08h Timer-Interrupt: Damage-routine added. |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Virus sends a string to all 4 COM-ports. This string advises any connected hayes-modem to drop the line and to dial "081 |
| Damage Trigger: | If time is between 05:00 and 06:00 hours (am) |
| Particularities: | |
| Similarities: | --- |
Agents | |
| Countermeasures: | |
| Standard means: | Deleting the first 1079 Bytes will disinfect the Programm. |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, germany |
| Classification by: | Matthias Jaenichen, VTC Hamburg |
| Documentation by: | Yuval Tal, Weizmann-Institute, Rehovot, Israel |
| Date: | June 26, 1990 |
| Information Source: | Yuval Tal |
(c) 1996 Virus-Test-Center, University of Hamburg