Green Caterpillar (A/B/C) Virus

Alias:1575/1591, (15xx) Virus
Strain:Caterpillar
detected when:January 1991
where:Ontario, Canada
Classification:Resident Program (COM & EXE) Infector
Length:Program: 1575 Bytes (modulo 16:1575-1591) Memory: 1760-1840 Bytes

Preconditions

Operating System(s):MSDOS
Version/Release:Version 3.00 and upwards
Computer model(s):IBM-Compatibles (only in Real-Mode)
Caroname:Green_Caterpillar.1575.A

Attributes

Easy identification:Text-String found "C:\COMMAND.COM $$$$$"

Type of Infection:

Memory: virus installs itself in high memory, but will not protect itself against being overwritten in RAM (A-Variant). COM & EXE files: one COM AND one EXE file are infected upon infection triggered; file-date will be changed to system-Date. COMMAND.COM will be infected immediatly after execution.

Infection Technique:
Infection Trigger:Any time a COPY or DIR-Command is executed
Storage Media affected:
Interrupts hooked:INT 21h; INT 24h; corrupts COPY and DIR commands
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:Transient damage: a green caterpillar creeps over the screen, starting at the upper left corner.
Damage Trigger:Two month after 1st infection.
Particularities:There are three variants reported: B-Variant installs itself in memory, includ- ing self-protection against overwrite. C-Variant is able to infect a program during its execution.
Similarities:---

Agents

Countermeasures:Scan (>V73); VirScan; F-Prot
Standard means:Boot from clean system-disk, restore COMMAND.COM, delete all infected files; hide COMMAND.COM in a separate directory, and use the COMSPEC- entry in the CONFIG.SYS file to avoid re- infection of COMMAND.COM.

Acknowledgements

Location:Virus-Test-Center; University Hamburg, Germany
Classification by:Matthias Jaenichen, VTC
Documentation by:Matthias Jaenichen, VTC
Date:15-July-1991
Information Source:Disassembly, Vsum9103 (Patricia Hoffman)

(c) 1996 Virus-Test-Center, University of Hamburg