| Alias: | |
| Strain: | --- |
| detected when: | |
| where: | |
| Classification: | COM-infector, memory resident, stealth. |
| Length: | 512 bytes |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | DOS < 4, with 32KB Colour Adaptor |
| Computer model(s): | PC's |
| Caroname: | Int13 |
Attributes | |
| Easy identification: | |
Type of Infection: | Virus preserves original file length by using slack cluster space after end of file. Selfrec in memory: --- {Once resident, stealth is designed to preventre-execution of viral code in infected objects} Selfrec on disk: file[0..1] = E2h 00h [using anti-stealth]. |
| Infection Technique: | |
| Infection Trigger: | FindNext FCB INFECTION_CRIT: COMlength >= 512 COMname[1..2] <> "OM"file[0..1] <> "MZ"(COMlength-1) mod 1024 < 512 [any drive](COMlength-1) mod 2048 < 1024 [C: and beyond] {This is designed to ensure that there is slack space available for the virus; it fails to account for discs like 1.2MB floppies with 1 sector per cluster} |
| Storage Media affected: | |
| Interrupts hooked: | INT 21h/12h, INT 13h/02h |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | --- |
| Encoding Method: | |
| Damage: | Liable to make a mess on network drives or with SuperStor, Stacker ... Transient: --- Permanent: --- |
| Damage Trigger: | Transient: --- Permanent: --- |
| Particularities: | - DOS buffer chain is shrunk. - Displayed text: --- - Not displayed text: " Int 13" - INT 13 goes resident by copying itself into first DOS buffer and then removing that buffer from circulation. - Whenever a FindFirstFCB call occurs, virus checks to see if file thus identified seems to be a COMfile. If so, it is hit. - During infection, virus seeks to the end of the file, and performs a dummy read with an INT 13h trap in place which records ES, BX, CX and DX for the sector containing end of file. The first sector of the file is then loaded, and written into the slack-space sector just after the last sector of the file. The viral code, with the trapped CX/DX values for the position of the end-of-file, is then written over the first sector. - When a sector is read which appears to be the start of an infected file, the virus reads what it assumes to be the hidden copy of the clean first sector from the slack area, thus stealthing its presence. - There is no *viral* code in the slack space, so that INT 13 is perceived as a simple over- writing virus after a clean boot. - If an infected file is moved around on disc, the stealth information in the viral sector no longerpoints at the slack area of the infected file. Correct stealthing, and thus the correct operation of infected objects, becomes much less likely. - Virus may only run on DOS versions <4. It seems to assume a buffer layout as usual in DOS 3.3. - Virus uses Display = 32KB Colour Adaptor {mem[B800:7800..7BFF]is used for temporary storage by virus} |
| Similarities: | --- |
Agents | |
| Countermeasures: | |
| Standard means: | Delete the infected files and replace them from a backup |
Acknowledgements | |
| Location: | CSIR South Africa |
| Classification by: | Paul Ducklin |
| Documentation by: | Paul Ducklin |
| Date: | |
| Information Source: | CaroBase entry, converted S.Freitag VTC Hamburg |
(c) 1996 Virus-Test-Center, University of Hamburg