| Alias: | |
| Strain: | Datalock strain |
| detected when: | |
| where: | |
| Classification: | EXE-infector |
| Length: | 2048 |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | None |
| Computer model(s): | PC's |
| Caroname: | DataLock.920.A |
Attributes | |
| Easy identification: | |
Type of Infection: | Appending, uses DOS file length to position virus. Selfrec in memory: INT 21h/BEh => AX=1234h SELFREC_ON_DISC: file[12h..13h] = file[14h..15h] + file[16h..17h] + 1234h{in EXE files: initCS + initIP + 1234h = FileChecksum} |
| Infection Technique: | |
| Infection Trigger: | COMlength > 23000 |
| Storage Media affected: | |
| Interrupts hooked: | 21h/4B00h, 21h/3Dh, 21h/BFh, 21h/BEh,24 (during infection) |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient: After August 1990, the virus randomly interferes withattempts to open files, usually files of the form *.?BF.Spurious "Too many open files" errors are returned. Permanent: None |
| Damage Trigger: | Transient: (Date >= August 1990) && (INT 21h/3Dh) && (FileNameof the form *.?BF) Permanent: n/a |
| Particularities: | None Displayed text: None Not displayed text: "DataLock version 1.00" When going resident, the virus uses the byte stringstarting at offset 8 in the current environment areaas a filename, and tries to infect it. If the firstenvironment variable is COMSPEC, this will cause thecommand interpreter to be infected even if the PC isswitched off before the infected application isexited. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Paul Ducklin |
| Documentation by: | Paul Ducklin |
| Date: | |
| Information Source: | Carobase-entry (automatic converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg