| Alias: | Ganeu |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | COM and EXE infector |
| Length: | 1446 |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | Uses >= AT calls. INT 1A/4, INT 15/86 |
| Computer model(s): | PC's |
| Caroname: | Dual_GtM |
Attributes | |
| Easy identification: | |
Type of Infection: | The virus overwrites part of the file, destroying it. The virus appends itself to the files Selfrec in memory: 21/54 bx=4475,cx=616C -> bx=4775,cx=4D21 Selfrec on disk: Seconds field in DTA set to 62. |
| Infection Technique: | |
| Infection Trigger: | 21/4BThe virus monitors the EXEC function, but does not infectthe executed file. Instead it searches the currentdirectory (if drive > B) for uninfected files. It firstexamines all .COMs, then .EXEs. It infects the first hostit finds and stops searching. Thus, one file is infectedon each EXEC request (if an uninfected host is found). |
| Storage Media affected: | |
| Interrupts hooked: | 21/4B, 21/54 (Self-rec) |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Virus overwrites part of the infected file on infection. Transient: If triggered, during the infection routine, the virusdecrypts its message (below), prints it, and enters aninfinite loop. Permanent: None |
| Damage Trigger: | Transient: Date==1994-03-20 Permanent: None |
| Particularities: | None Displayed text: " Beware of the BUG !!! "(Encrypted in virus using "not".) Not displayed text: None The find first/next for .EXE files avoids infectingfiles that start with "SCAN", "CLEA", or "QBAS".The name is based on the self-recognition call.The call is "Dual" and the return is "GtM!".The alias is based on a "string" near the end of aninfected file: Ga nEu, where the "a" has a circumflex,the space is an FFh, and the "E" has an accent. It's acode-based non-string (like "PSQR"):47 83 FF 6E 90 7E or:inc dicmp di,6Enopjnz |
| Similarities: | None |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Joe Wells |
| Documentation by: | Joe Wells |
| Date: | 1993-12-15 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg