FISH #6 Virus

Alias:FISH-6, European Fish Virus
Strain:4096 = 4K = FroDo = Stealth strain
detected when:October 1990
where:Bonn/Germany ???
Classification:Program (extending), RAM-resident, stealth virus
Length:.COM & .EXE files: length increased by 3584 bytes in RAM: 4096 bytes.

Preconditions

Operating System(s):MS-DOS
Version/Release:2.xx upward
Computer model(s):IBM-PC, XT, AT and compatibles
Caroname:Frodo.Fish_6.A

Attributes

Easy identification:---

Type of Infection:

System: Allocates a memory block at the high end of memory. Finds original address of Int 21h handler and original address of Int 13h hand- ler, therefore bypasses all active monitors. Inserts a JMP FAR to virus code inside origi- nal DOS handler. .COM & .EXE files: program length increased by 3584. A file will only be infected once. Files with READ-ONLY attribute set can be in- fected; files with SYSTEM attribut set will not be infected (e.g.IBMBIO.COM, IBMDOS.COM). COMMAND.COM is the first file, which will be in- fected in an non infected system.

Infection Technique:
Infection Trigger:Files are infected if function 4B00H (Load/Exe- cute) or function 3EH (Close File) of MS-DOS is called and if last three bytes of file- name sum-up to either 223 (COM) or 226 (EXE), and if free diskspace is >16384 bytes.
Storage Media affected:
Interrupts hooked:INT21h, through a JMP FAR to virus code inside DOS handler; INT01h, during virus installation & processing INT13h, INT24h during infection.
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:Permanent Damage: a message will be displayed: "FISH VIRUS #6 - EACH DIFF - BONN 2/90 '~Knzyvo}'" and then the processor stops (HLT instruction).
Damage Trigger:If (system date>1990) and a second infected .COM file is executed.
Particularities:1. The virus is encrypted in memory and on disk. 2. Summing-up the last 3 bytes of the filename for determining .COM and .EXE files for in- fection will also include more than 1200 other extensions such as .BMP,.MEM,.OLD,.PIF, .QLB for .COM-files and .LOG,.TBL for .EXE- files and filenames without extension, e.g. READCOM. , TESTFAX. , TEXTOLD. Therefore, virus code will be appended to datafiles (e.g. when using "TYPE TEXTOLD", file TEXTOLD will be infected). 4. Only files with id="MZ" or id="ZM" get infected as .EXE. 5. If virus is not in memory, infected data files are corrupted. 6. Infected files get a new date 100 years ahead: (newyear:=oldyear+100); e.g 1991+100=>2091, but with DIR, the new date is not visible. 7. Do not use "CHKDSK /F" in an infected system, as files get damaged (crosslinked-sectors). 8. If the system is infected, the virus redirects all file accesses so that the virus itself can not be read from the file (stealth technique). 9. Find first/next function returns are tampered so that files with (year>100) are reduced by 3584 bytes in size. 10.Get/set filedate is also tampered. Remark: the reference to "Bonn" built-into the message (see damage) has lead to the assump- tion that FISH#6 was originated in this Ger- man town; a similar assumption has been made for the related WHALE=MOTHER FISH virus due to a string "Hamburg" appearing in its code. There is *no forther evidence* that both variants of 4096 originated in Germany; the mentioned strings more probably are built-in to masquerade the origin (Russian: MASKIROWKA)
Similarities:FISH 6 is an optimized 4096 virus as it inherits most of the technology of the 4096 virus. The string '~Knzyvo}' meaning "TADPOLES" is also found in WHALE=MOTHERFISH virus.

Agents

Countermeasures:1) A Do-it-yourself way (see 4096 virus): Infect system by running an infected file, ARC/ZIP/LHARC/ZOO all infected .COM and .EXE files, boot from uninfected floppy, and UNARC/UNZIP/LHARC E etc. all files. Pay special attention to disinfection of COMMAND.COM. 2) FINDVIRU 1.6 (Solomon) 3) F-FCHK 1.12+ (F. Skulason) 4) SCAN 6.3V72 (McAfee) 5) My NTIFISH6.EXE is an antivirus that only looks for FISH 6 virus, and if requested will restore the file.
Standard means:Only sucessful if virus is not in memory! Boot from an uninfected write-protected disk and check century of files (with proper tool).

Acknowledgements

Location:Virus Test Center, University Hamburg, Germany
Classification by:Stefan Tode
Documentation by:Stefan Tode
Date:12-February-1991
Information Source:

(c) 1996 Virus-Test-Center, University of Hamburg