| Alias: | |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | COM and EXE infector, Master-boot record (HD) infector, resi |
| Length: | 3456 BYTES (WHEN LOADED FROM FILE),4096 BYTES (WHEN LOADED BY MBR) |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | None |
| Computer model(s): | PC's |
| Caroname: | Invisible |
Attributes | |
| Easy identification: | |
Type of Infection: | The virus appends itself to the files Selfrec in memory: INT_21;AX=FC03 -> AX=03FC Selfrec on disk: Checksum of entrypoint |
| Infection Technique: | |
| Infection Trigger: | (Exec) or( (Open or ChMod or Rename) and( (extension == COM) or (extension == EXE) ) )[Avoids certain COM files by doing a checksum onthe name.] |
| Storage Media affected: | Harddisks |
| Interrupts hooked: | 21/2521, 21/3521, 21/4B00, 21/3D, 21/43, 21/56,1C (during boot from infected MBR only, laterunhooked) |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | the virus uses variable encryption with a variable decryptor. |
| Encoding Method: | |
| Damage: | Transient: None Permanent: Overwrites some files instead of infecting. Thereplacement code displays some song lyrics (seebelow) and plays noise on the speaker. |
| Damage Trigger: | Transient: None Permanent: Complex and pseudo-random, but becoming morelikely with time-since-infection. |
| Particularities: | The virus resides above the last MCB The virus resides at the top of memory, reducing the BIOS memory size at 0000:0413. The virus disables INT 1 and INT 3. None Displayed text: "I'm the invisible man,I'm the invisible man,Incredible how you canSee right through me.I'm the invisible man,I'm the invisible man,It's criminal how I canSee right through you."; Encrypted in virus, butnot in Trojanized files.[displayed by Trojanized files] Not displayed text: "The Invisible Man - Written in SALERNO (ITALY),October 1992. Dedicated to Ester: I don't knowhow or when, but I will hold you in my arms again.";Encrypted. Relatively straightforward, mildly polymorphic,tunneling EXE and COM infector that also infectsthe MBR in order to get back into memory after aboot. Doesn't infect diskette boot records. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | David M. Chess, IBM HICL |
| Documentation by: | David M. Chess, IBM HICL |
| Date: | 1993/05/25 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg