| Alias: | |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | COM and EXE infector, resident |
| Length: | 2 kilobyte(s) |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | will not infect read-only files |
| Computer model(s): | PC's |
| Caroname: | CAZ.1159 |
Attributes | |
| Easy identification: | |
Type of Infection: | The virus appends itself to the files Selfrec in memory: Int2F;AX=FFFF --> AL=10 Selfrec on disk: Filetime_seconds == 62 |
| Infection Technique: | |
| Infection Trigger: | (EXE) pag/mod filesize == actual filesize(COM) no check for filesize |
| Storage Media affected: | |
| Interrupts hooked: | 21/4B00, 21/3D, 24, 2F/FFFF, STEALTH: |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | - |
| Encoding Method: | |
| Damage: | Transient: - Permanent: write MSG_DISPLAYED: to the screen, copy first sectorof first harddisk onto the third sector, overwrite first sector from[0:0] and reboot (int 19h) after waiting for a keypress (int 16h). |
| Damage Trigger: | Transient: - Permanent: Loadexec *CLEAN.* |
| Particularities: | The virus resides above the last MCB Virus uses Armouring. File date/time is updated to the infection time Displayed text: "Virus anti-McAfee v1.0 (C) SEPTEMBER 1991 Made in SPAIN";Encrypted After installing the virus in memory, C:\COMMAND.COM is infectedby opening it read-only. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Adam David, Frisk Software International |
| Documentation by: | Adam David, Frisk Software International |
| Date: | 28.7.93 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg