| Alias: | |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | COM-infector, resident |
| Length: | 54 paragraph(s) |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | All models |
| Computer model(s): | PC's |
| Caroname: | F1-337 |
Attributes | |
| Easy identification: | |
Type of Infection: | The virus prepends itself to the files Selfrec in memory: Int21;AH=F1 exits into host program Selfrec on disk: File[0] == 0F1B4h (mov ah,0F1h) |
| Infection Technique: | |
| Infection Trigger: | (Load || Open || Ext_Open/Create) && Filename[namelength-6]!= "ND" && Filesize < 64768 |
| Storage Media affected: | |
| Interrupts hooked: | 21/F1, 21/6C, 21/4B, 21/3D, 24 |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | - |
| Encoding Method: | |
| Damage: | Transient: - Permanent: - |
| Damage Trigger: | Transient: - Permanent: - |
| Particularities: | The virus resides as a TSR Int24 vector is not restored after infecting a file The Int21;AH=6C handling assumes the filename pointer is in DXbut it is really in SI. The filename checking is for "*CO?" andtherefore some wrong filenames will be selected. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Adam David, Frisk Software International |
| Documentation by: | Adam David, Frisk Software International |
| Date: | 28.7.93 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg