| Alias: | 923, 928 Virus |
| Strain: | --- |
| detected when: | February 1991 |
| where: | Bulletin Board, Slovenia |
| Classification: | Program (.COM, .EXE) infector, memory resident |
| Length: | 1) Length on media: 928 (3A0h) - 943 bytes 2) Length in memory: 944 bytes |
Preconditions | |
| Operating System(s): | MS/PC-DOS |
| Version/Release: | 2.00 and upwards |
| Computer model(s): | All IBM PC compatibles |
| Caroname: | Hey_You |
Attributes | |
| Easy identification: | Virus contains text (message displayed): "Hey, YOU !!! Something's happening to you ! Guess what it is ?! HA HA HA HA ..." |
Type of Infection: | System: Virus first checks MCB if there will be at least 64Kb available after installing itself in memory. It then copies itself at the top of available memory and decreases the value of available memory by 3Bh paragraphs (=944 bytes). Files: virus appends itself at end of .COM (including COMMAND.COM) and .EXE files, enlarging file size between 928 and 943 bytes. Files will only be infected once. |
| Infection Technique: | |
| Infection Trigger: | Calling INT 21h (EXEC) function 4B00h |
| Storage Media affected: | Files can be infected on all media (HD,FD) |
| Interrupts hooked: | INT 21h (functions 4B00h and BBBBh), INT 24h (only during infection of a file) |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent damage: --- Transient damage: When an infected program is executed, computer beeps (^G), displays the message described above (see: Easy Identification) and exits to DOS. |
| Damage Trigger: | Transient damage: if during infection function GetDate returns with year>=1991 AND month>=2 AND day>=25 AND (Mem[0:46Ch] AND 7=0) (Real Time Clock). |
| Particularities: | INT 21h is set directly (not via DOS) and always points to xxxx:00B5h. EXE files with maximum memory requirement equal FFFFh paragraphs will not be infected. Attribute, time and date of an infected file remain unchanged. Read-only and hidden attributes do NOT protect against infection. |
| Similarities: | --- |
Agents | |
| Countermeasures: | Tested: F-Prot v2.03a detects and removes the virus. |
| Standard means: | --- |
Acknowledgements | |
| Location: | --- |
| Classification by: | Dalibor Cerar |
| Documentation by: | Dalibor Cerar |
| Date: | 16-April-1992 |
| Information Source: | (original virus analysis) |
(c) 1996 Virus-Test-Center, University of Hamburg