| Alias: | |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | COM and EXE infector, resident |
| Length: | 1588 |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | Expects to find RAM at 9000: if there is RAM at 0A000: |
| Computer model(s): | PC's |
| Caroname: | Arriba |
Attributes | |
| Easy identification: | |
Type of Infection: | COM: The virus prepends itself to the files EXE: The virus appends itself to the files Selfrec in memory: Int21_handler[3] == 3156h Selfrec on disk: File[EOF-2] == 3156h |
| Infection Technique: | |
| Infection Trigger: | Load && COM_Filesize <= 64768 |
| Storage Media affected: | |
| Interrupts hooked: | 21/4B, 24, 8 |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | - |
| Encoding Method: | |
| Damage: | Transient: scroll MSG_DISPLAYED: across the top line of the screenand hang the machine after that. Permanent: - |
| Damage Trigger: | Transient: Date == November_20th Permanent: - |
| Particularities: | The virus installs itself at the end of the available memory (regardless where exactly this end is), without marking the occupied memory as allocated. The virus resides at the memory address: (first Virus_segment - 64kB (whether or not it exists) is used as a filebuffer during infection. Previous Int24 handler is clobbered. Displayed text: (accents shown here appended, newline replaces longspace) "Cara al sol con la camisa nuevaque tu bordaste rojo ayerhallaras la muerte si te llegay no te vuelvo a verformare junto a mis coman~erosque hacen guardia sobre los lucerosimpasible el ademan y esta'n presentesen nuestro afansi te dicen que cai me fui al puesto que tengo allivolveran banderas victoriosas al paso alegrede la paz y seran prendidas cinco rosas las flechas de mi pazvolvera a reir la primavera que por cielo y tierra y maresperan arriba a Espan~a y a vencer, que en Espan~a empiezaa AMANECER20-N-90 Spain Jaws & Shark ARRIBA ESPAN~A"; Encrypted The scrolling text is paced with a software timing loop, the int8timer routine seems not to have any effect on the timing. There isan int3 breakpoint in the virus just before continuing into theresident copy. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Adam David, Frisk Software International |
| Documentation by: | Adam David, Frisk Software International |
| Date: | 28.7.93 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg