Devil's Dance

Alias:Devil, 941 Virus
Strain:
detected when:Spring 1990
where:Mexico City
Classification:.COM - file: extending, RAM-resident, link virus
Length:.COM - Files: increased by 941 bytes

Preconditions

Operating System(s):MS-DOS
Version/Release:2.xx upward
Computer model(s):IBM - PC, XT, AT and compatibles
Caroname:Devil's_Dance.A

Attributes

Easy identification:Typical text in Virus body, readable with hexdump-utilities: "Drk", "*.com". If the high- bit of the displayed code is stripped, the mes- sage displayed at system reset time can be read. .COM files: the first three bytes (jmp) and the last three bytes are identical. The file date/time is set to the date/time of the infection (i.e. multiple infected files have the same file date/time).

Type of Infection:

System virus: RAM-resident: infected if at the location 3 bytes before INT 21-adress the string "Drk" is found. .COM file: infected by hooking LOAD-function; adds 941 bytes to the end of the file. Only files with extension .COM will be infected. A file will be infected more than once. At first execution of the virus, all .COM files in the current directory will be infected. .EXE File: no infection.

Infection Technique:
Infection Trigger:.COM file will be infected, when function 4B00H (LOAD/EXEC) of INT 21H is called.
Storage Media affected:
Interrupts hooked:INT 21H (functions 4B00H and 49H). INT 09H only for damage.
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:Permanent Damage: 1. Every .COM file executed in an infected system will be infected. 2. After pressing 2,500 keys and reset= ++, the first sector of the hardisk C: will be overwritten. Transient Damage: 1. All characters typed will be displayed in a different color on a color card. 2. If reset=++ is pressed, the following message is displayed: "Have you ever danced with" "the devil under the weak light of the moon? " "Pray for your disk! The_Joker..." "Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha".
Damage Trigger:Keyboard input (characters typed) and reset=++
Particularities:- The message "Have you ... Ha Ha" is encrypted. - All files with .COM extension will be infected (i.e also exe-files with .COM extension). - .COM files with exe-header-id "MZ" will not run after infection. - Virus does not use a self-identification on .COM files; files will be infected many times. - In case of multiple infections of .COM files, system is slowed down on first execution of the virus in a clean system; if, e.g., a file has been infected 10 times, then it will try to infect any accessible .COM file 10 times. - All file attributes are cleared/not restored. - Multiple files have the same date/time. - Programs longer than 64,337 bytes are not exe- cuted correctly after infection.
Similarities:

Agents

Countermeasures:Category 3: NTIDEVIL.EXE (VTC Hamburg)
Standard means:Notice .COM file length, file date/time/attribute. Typical text in virus body: "*.com", "Drk" . Search for hex bytes: E4,E1,EE,E3,E5,E4,A0,F7,E8, F4,E8.Don't use ++ if your screen has been colored; use power-off- or reset-switch to reboot your computer.

Acknowledgements

Location:Virus Test Center, University Hamburg, FRG
Classification by:Stefan Tode
Documentation by:Stefan Tode
Date:5-June-1990
Information Source:

(c) 1996 Virus-Test-Center, University of Hamburg