| Alias: | 100 years Virus, IDF Virus, Stealth Virus |
| Strain: | |
| detected when: | October 1989. |
| where: | Haifa, Israel. |
| Classification: | Program Virus (extending), RAM-resident. |
| Length: | .COM files: length increased by 4096 bytes. .EXE files: length increased by 4096 bytes. |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | 2.xx upward |
| Computer model(s): | IBM-PC, XT, AT and compatibles |
| Caroname: | Frodo.Frodo.A |
Attributes | |
| Easy identification: | --- |
Type of Infection: | System: Allocates a memory block at high end of memory. Finds original address (inside DOS) of Int 21h handler. Finds original address (inside BIOS) of Int 13h handler, therefore bypasses all active monitors. Inserts a JMP FAR to virus code inside original DOS handler. .COM files: program length increased by 4096 .EXE files: program length increased by 4096 |
| Infection Technique: | |
| Infection Trigger: | Programs are infected at load time (using the function Load/Execute of MS-DOS), and whenever a file Access is done to a file with the exten- sion of .COM or .EXE, (Open file AH=3D, Create file AH=3C, File attrib AH=43, File time/date AH=57, etc.) |
| Storage Media affected: | |
| Interrupts hooked: | INT21h, through a JMP FAR to virus code inside DOS handler; INT01h, during virus installation & execution of DOS's load/execute function (AH=4B); INT13h, INT24h during infection. |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | The computer usually hangs up. |
| Damage Trigger: | A Get Dos Version call when the date is after the 22th of September and before 1/1 of next year. |
| Particularities: | Infected files have their year set to (year+100) of the un-infected file. If the system is infected, the virus redirects all file accesses so that the virus itself can not be read from the file. Also, find first/next function returns are tampered so that files with (year>100) are reduced by 4096 bytes in size. |
| Similarities: | |
Agents | |
| Countermeasures: | 1) A Do-it-yourself way: Infect system by running an infected file, ARC/ZIP/LHARC/ZOO all in- fected .COM and .EXE files, boot from unin- fected floppy, and UNARC/UNZIP/LHARC E etc. all files. Pay special attention to disin- fection of COMMAND.COM. 2) The JIV AntiVirus Package (by the author of this contribution) 3) F. Skulason's F-PROT package. |
| Standard means: | --- |
Acknowledgements | |
| Location: | Weizmann Institute, Israel. |
| Classification by: | Ori Berger |
| Documentation by: | Ori Berger |
| Date: | 26-February-1990 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg