| Alias: | |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | COM-infector, resident |
| Length: | 402 |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | All models |
| Computer model(s): | PC's |
| Caroname: | Cinderella.B |
Attributes | |
| Easy identification: | |
Type of Infection: | The virus overwrites the beginning of the file, appending the overwritten part after the end of the file. Selfrec in memory: Int21;ah=FB --> ah=00 Selfrec on disk: File[0] == 0FBB4h (MOV ah,0FBh) |
| Infection Technique: | |
| Infection Trigger: | (Open_RO || Load) && Filesize >= 390 |
| Storage Media affected: | |
| Interrupts hooked: | 21/3D00, 21/4B, 21/FB, 21/FC, 24, 16/00 |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | - |
| Encoding Method: | |
| Damage: | Transient: create a read-only hidden system file named "DDDDDDDD.DDF"(where "D" is 0DDh and "F" is 0FFh) and (probably) reset the computerby jumping to 0F000:E05Bh Permanent: - |
| Damage Trigger: | Transient: Keypress && (Counter == 0) Permanent: - |
| Particularities: | The virus resides in the interrupt vector table. The virus resides at the memory address: 0:200h Int80..IntE5 vectors are trashed. The counter is decremented at every keypress and incremented by 666each time a file is considered for infection. Int21;ah=FCh is used toexit into the host program. After infection but before closing thefile, the file date/time is read and immediately written again. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Adam David, Frisk Software International |
| Documentation by: | Adam David, Frisk Software International |
| Date: | 26.7.93 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg