| Alias: | 1971 |
| Strain: | |
| detected when: | --- |
| where: | --- |
| Classification: | Link-virus (extending), RAM-resident |
| Length: | .COM files: program length increases by 1971-1986 bytes: (length -3) mod 16 = 0. .EXE files: program length increases by 1971-1986 bytes: (length -3) mod 16 = 0. |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | 2.xx upward |
| Computer model(s): | IBM-PC, XT, AT and compatibles |
| Caroname: | Eight_Tunes |
Attributes | |
| Easy identification: | Typical texts in Virus body (readable with HexDump-facilities):"COMMAND.COM" in the data area of the virus; increased filelength if the file is infected. |
Type of Infection: | System: infected if function E00Fh of INT 21h returns the value 4C31h in the AX-register. .Com files: program length increases by 1971-1986 bytes; if infected, the bytes 007h,01fh,05fh, 05eh,05ah,059h,05bh,058h,02eh,0ffh,02eh,00bh, 000h are found 62 bytes before end of file; a .COM file will only be infected once. .COM files will not be infected if filelength<8177 and filelength>63296; virus will be linked to the end of the program. .EXE files: program length increases by 1971-1987 bytes. If it is infected the bytes 007h,01fh, 05fh,05eh,05ah,059h,05bh,058h,02eh,0ffh,02eh, 00bh,000h are found 62 bytes before end of file; an .EXE file will only be infected once; .EXE files will not be infected if filelength<8177; virus will be linked to the end of the program. |
| Infection Technique: | |
| Infection Trigger: | Programs are infected during load procedure (Load/Execute-function of Ms-Dos). |
| Storage Media affected: | |
| Interrupts hooked: | INT21h, INT08h (only if triggered), INT24h (only while infecting a file) |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient Damage: After 30 minutes, the virus will play one of eigth melodies (random selection). After a short time, the virus will play a melody again. |
| Damage Trigger: | Damage occurs 90 days after the file infection. |
| Particularities: | 1. COMMAND.COM will not be infected. 2. Normally, the virus will stay resident at the end of the available memory; only if the memory is fragmented by special software, the virus may become resident (via Dos- function 31h). 3. One function (0E00Fh) used by Novell- Netware 4.0 can't be accessed anymore. 4. The damage occurs immediately when processing a file with creation date before 1984. 5. During a file infection, the virus looks for "BOMBSQAD.COM", an antivirus-tool control- ling accesses to disks; if found, the virus will deactivate it (tested with BOMBSQAD V. 1.2). 6. During a file infection, the virus looks for "FSP.COM" (Flushot+), an antivirus tool controlling accesses to disks, files etc. If found, the virus will stop file infection (tested with FLUSHOT V. 1.4). |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Thomas Lippke, Michael Reinschmiedt |
| Documentation by: | Michael Reinschmiedt, Thomas Lippke |
| Date: | 11-JUN-1990 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg