| Alias: | |
| Strain: | Cascade = Autumn = Herbst(laub) - Virus |
| detected when: | |
| where: | |
| Classification: | Program Virus (extending .COM), RAM resident |
| Length: | .COM-file length increases by 1701 bytes |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | 2.XX upward |
| Computer model(s): | IBM-PC, XT, AT and compatibles |
| Caroname: | Cascade.1701.Jojo.A |
Attributes | |
| Easy identification: | |
Type of Infection: | System: Is infected if the call of interrupt 21h with subfunction FFh is possible and without error and 55AAh is returned in DI - register. .COM-file: Program virus: Increases .COM-files by 1701 bytes while hanging on the end of the host program. The first three bytes of the original program are stored in the viruscode and replaced by a jump instruction to the begin of the viruscode. .EXE-file: No infection if it is a true .EXE-file. .COM-files with the extension .EXE will be also infected. |
| Infection Technique: | |
| Infection Trigger: | Infects all .COM-files (only once) (independent to the date) that are loaded via function 4Bh and subfunction 00h of the interrupt 21h. (MS-DOS uses this function to start any program). |
| Storage Media affected: | |
| Interrupts hooked: | Int 21h |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient damage: JOJO.A produces a screen display of multicolored diamonds. This is only a visual effect. You can leave this display routine by pressing the 'ESC' key. |
| Damage Trigger: | If the system time is later than 7pm and the virus is started the first time, the display routine will be activated. Each time when the virus infects a program after 7pm system time, the display routine of the new infected program will be activated. Each time when an infected program is executed after 7pm system time, the display routine will be activated. |
| Particularities: | 1. If the system is not infected, the invocation of an infected program produces errors (system crash is possible). 2. .Com-files up to a length of 63803 bytes will be infected, but files with a length of more than 63576 bytes are not loadable after infection. 3. The virus is not encrypted like the CASCADE.1701.A version. 4. The distinction between .EXE and .COM files is made by testing the 'magic number (MZ)' in the .EXE - header. 5. If the virus infects a .COM-file, the original date and time of this file are not changed. 6. The analysis of the Bios-Copyright string from IBM computers is defect (see Cascade.1701.A), so an infection of true IBM-Computers won't be avoided. 7. In the virus code are two messages from the author that never will be displayed: a) Fuck the system (c) - 1990 b) Welcome to the JOJO virus 8. If the DOS-version is lower than 2.XX, the virus doesn't infect the computer system, but the display routine will be activated once, if the system time is after 7pm. |
| Similarities: | |
Agents | |
| Countermeasures: | F-prot (for example) detects and, if requested, removes the virus |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University of Hamburg, Germany |
| Classification by: | Martin Retsch, Mario Ticak |
| Documentation by: | Martin Retsch |
| Date: | December 5, 1995 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg