| Alias: | |
| Strain: | Exe_Bug Virus Strain |
| detected when: | |
| where: | South Africa (there common in January 1993) |
| Classification: | Memory-resident System (MBR,FBR) infector, stealth, tunnelli |
| Length: | 1.Length (Byte) on media: 1 sector 2.Length (Byte) in memory: 1 kByte |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | |
| Computer model(s): | IBM PCs and compatibles |
| Caroname: | Exe_Bug.Hooker |
Attributes | |
| Easy identification: | --- |
Type of Infection: | Self-Identification in memory: --- Self-Identification on disk: MBR[60h..61h]=BAh 80h System infection: MBR/FBR infector; stores original boot sector at location At 0/0/17 (HD) or at LAST_R (FD) |
| Infection Technique: | |
| Infection Trigger: | At bootup from an infected floppy (hard); during INT 13h/AH=02 (floppy) |
| Storage Media affected: | HD/FD |
| Interrupts hooked: | INT 13h/02, INT 13h/03 (stealth mechanism) |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent Damage: Sectors on hard drive converted to disc-trashing trojan. Transient Damage: --- |
| Damage Trigger: | Permanent Damage: INT13h/write AND buffer[0..1]="MZ" AND CL=counter Transient Damage: --- |
| Particularities: | Can't format floppies. Virus contains encrypted text "HOOKER" (NOT displayed as message). When the Trojan (48 bytes long) is written to disk, string "HOOKER" is appended to it. |
| Similarities: | Exe-Bug.A Virus |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | |
| Classification by: | Paul Ducklin |
| Documentation by: | Paul Ducklin (CARObase) Klaus Brunnstein (conversion to CVC |
| Date: | 1993-February-15 |
| Information Source: | Reverse-Engineering of virus code |
(c) 1996 Virus-Test-Center, University of Hamburg