| Alias: | |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | COM-infector, resident |
| Length: | 144 |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | CPU >= 286 AND expected value of SI on entry to COM file is |
| Computer model(s): | PC's |
| Caroname: | AT.140 |
Attributes | |
| Easy identification: | |
Type of Infection: | The virus appends itself to the files Selfrec in memory: [0:350h] == 8B60h Selfrec on disk: File[EOF-140] == 8B60h |
| Infection Technique: | |
| Infection Trigger: | Load && File[0] != "M" |
| Storage Media affected: | |
| Interrupts hooked: | 21/4B |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | - |
| Encoding Method: | |
| Damage: | Transient: - Permanent: - |
| Damage Trigger: | Transient: - Permanent: - |
| Particularities: | The virus resides in the interrupt vector table. The virus resides at the memory address: 0:350h overwrites IntD4 through IntF7, potential for conflict. All kinds of optimising tricks are used to make the virus as smallas possible. For instance: the int21 handler is referenced at 35:35hto save code during installation, there is no error processing so anyfailed DOS operation will not alter the control flow. Code instructionsare carefully selected and ordered so that they can perform double ortriple duty as much as possible. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Adam David, Frisk Software International |
| Documentation by: | Adam David, Frisk Software International |
| Date: | 22.7.93 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg