| Alias: | 1575 |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | COM and EXE infector, resident |
| Length: | 1847 |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | None |
| Computer model(s): | PC's |
| Caroname: | Green_Caterpillar |
Attributes | |
| Easy identification: | |
Type of Infection: | Appending, uses DOS file length to position virus. Selfrec in memory: memw[seg(int21_vector):0725h] = 0Ch 0Ah Selfrec on disk: file[lastbyte-1..lastbyte] = 0Ch 0Ah |
| Infection Technique: | |
| Infection Trigger: | FindFirstFCB, FindNextFCBINFECTION_CRIT: |
| Storage Media affected: | |
| Interrupts hooked: | 21h/11h, 21h/12h, 1Ch (payload) |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient: Green caterpillar traverses text screen Permanent: None |
| Damage Trigger: | Transient: Infected file run 3 or more months after infection Permanent: n/a |
| Particularities: | only shrinks the current MCB if it is a 'Z' block. (Only leaves a mess if there is another chain of MCBs, eg for UMBs). None The caterpillar runs across the screen from leftto right and from top to bottom. The screen contentsare "excreted" from the rear of the caterpillar asit goes by, leaving it displaced horizontally bythe length of the caterpillar, and with all textyellow on black.The caterpillar is advanced via a routine on INT1Ch, which is triggered each timer tick. At eachtick, the caterpillar moves forward by one screenposition. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Paul Ducklin |
| Documentation by: | Paul Ducklin |
| Date: | |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg