| Alias: | |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | COM-infector |
| Length: | NONE |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | All models |
| Computer model(s): | PC's |
| Caroname: | Deicide.II.Brotherhood |
Attributes | |
| Easy identification: | |
Type of Infection: | COPY: The virus appends itself to the files Selfrec on disk: File[2] == 0CDABh |
| Infection Technique: | |
| Infection Trigger: | attribute == "normal" && 665 <= Filesize <= 0EF00h |
| Storage Media affected: | |
| Interrupts hooked: | |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | - |
| Encoding Method: | |
| Damage: | Transient: Message is displayed and current program is terminatedwithout executing it. Permanent: - |
| Damage Trigger: | Transient: Virus found one of its brothers OR(11th <= Day_of_Month <= 25th && November <= Month <= December). Permanent: - |
| Particularities: | The virus is not memory resident. Displayed text: "Found my brother "MORGOTH"!!!","Found my brother "DEICIDE"!!!","Brotherhood... I am seeking my brothers "DEICIDE" and "MORGOTH"..." Not displayed text: "*** Glenn Benton ***" File[2] == 0ADDEh is the MORGOTH signature, File[2] == 0D90h is theDEICIDE signature. The file analysed was a copy of the original virusand so it was lacking the 28 bytes extra copy routine, it was paddedto 666 bytes with a NUL byte (Glenn Benton has a thing about 666). |
| Similarities: | MORGOTH, DEICIDE |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Adam David, Frisk Software International |
| Documentation by: | Adam David, Frisk Software International |
| Date: | 20.6.93 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg