| Alias: | |
| Strain: | |
| detected when: | October 1989 |
| where: | --- |
| Classification: | Link - Virus (extending), RAM - resident |
| Length: | .COM - Files: Program length increases by 1864 bytes |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | 2.xx upward |
| Computer model(s): | IBM - PC, XT, AT and compatibles |
| Caroname: | Dbase |
Attributes | |
| Easy identification: | Typical text in Virus body (readable with HexDump-utilities): "c:\bugs.dat" |
Type of Infection: | System: RAM-resident, infected if function FB0AH of INT 21H returns with 0AFBH in AX register. .COM file: extended by using EXEC-function. A file will only be infected once. .EXE File: no infection. |
| Infection Technique: | |
| Infection Trigger: | When function 4B00H of INT 21H (EXEC) is called. |
| Storage Media affected: | |
| Interrupts hooked: | INT 21H |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent Damage: 1. Every time a .DBF file is created in an infected system with function 3CH, 5BH or 6CH of INT 21H, the complete filename of the new .DBF file will be inserted in the hidden file "c:\bugs.dat". 2. On every write operation to a file registered in "bugs.dat", all neighboring bytes will be interchanged (e.g.: "01 02 03 04" changed to "02 01 04 03"). 3. On every read operation from a file regis- tered in "bugs.dat", the bytes will be interchanged again, so that no modifi- cation is visible. 4. If the filename of the .DBF file is modified, so that it does not correspond to the filename registered in "bugs.dat", or read/write operations happen in a non- infected system, the bytes will no longer be modified by the virus and they appear defective. Transient Damage: Every time a new .DBF file is created, the virus examines the age of "bugs.dat". If the difference between the month of creation and the current month is greater than 2, the computer will hang in an end- less loop. |
| Damage Trigger: | |
| Particularities: | - In case of a program error in the virus, single bytes in the .DBF file could be over- written incorrectly by write operations! - Programs longer than 63415 bytes are no longer loadable. |
| Similarities: | |
Agents | |
| Countermeasures: | Category 3: ANTI_DBS.EXE (VTC Hamburg) |
| Standard means: | Notice .COM file length. Typical text in virus body: "c:\bugs.dat", which is also created in the root directory. |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Thomas Lippke |
| Documentation by: | Thomas Lippke |
| Date: | January 20, 1990 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg