| Alias: | |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | COM and EXE infector, resident |
| Length: | 7C0H (5DCH CO paragraph(s)IED) |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | All models |
| Computer model(s): | PC's |
| Caroname: | Cpw |
Attributes | |
| Easy identification: | |
Type of Infection: | The virus appends itself to the files Selfrec in memory: [0:3FFh] == FBh Selfrec on disk: File[EOF-3] == "LS" |
| Infection Technique: | |
| Infection Trigger: | (Open_RO || Load || get/set_attr) && filename (delimitedby '\' and '.') NOT in "CNCGUARDEMSCPAVSCANCLEANFINDVIRUCHKVIRUS"&& space_for_virus |
| Storage Media affected: | |
| Interrupts hooked: | 24, 16/00, 21/3D00, 21/4B, 21/43 |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | - |
| Encoding Method: | |
| Damage: | Transient: [1] keypress routine subverted so that input comes from therepeating string " You are here CPW!" [2] display MSG_DISPLAYED:and hang the machine. Permanent: - |
| Damage Trigger: | Transient: [1] random period at random intervals[2] (Open_RO || Load || get/set_attr) && Date == May_27th Permanent: - |
| Particularities: | The virus resides above the last MCB If the filename (delimited by '\' and '.') is found in"SCPAVSCANCLEANFINDVIRUCHKVIRUS" then the file is deleted. Displayed text: "!Feliz Cumpleanos CPW!" (first ! is inverted, ~ over the n) Not displayed text: "Este programa fue hecho en Chile en 1992 por CPW." All the filename checks are case-sensitive (upper case), the methodof extracting the base filename is flawed (search no more than 80 bytesfor first '.' then search backwards no more than 80 bytes for a '\').COMMAND.COM is targetted for infection before each normal infection anda flag is set with the intention of only attempting once to accessCOMMAND.COM. However, the flag is overwritten each time another COMfile infection is attempted. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Adam David, Frisk Software International |
| Documentation by: | Adam David, Frisk Software International |
| Date: | 6.7.93 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg