| Alias: | |
| Strain: | |
| detected when: | 1992 |
| where: | USA |
| Classification: | File and System virus (EXE, SYS infector), encrypted, someti |
| Length: | 1.Length (Byte) on media: 14xx bytes (see text) 2.Length (Byte) in RAM: |
Preconditions | |
| Operating System(s): | MSDOS |
| Version/Release: | |
| Computer model(s): | IBM PCs and Compatibles |
| Caroname: | Involuntary.A |
Attributes | |
| Easy identification: | 1) No simple scan string is available for EXE fil. due to the encryptive nature of the beast (but 24 bytes of the decryptor seem to be constant, only filled with variable number of NOPs) 2) In memory (INT 21h handler) and SYS files, you can check for the following string: 3d 00 4b 74 03 e9 45 02 50 53 52 1e 06 b8 02 3d cd 21 73 03 |
Type of Infection: | File infection: Upon infection (by appending virus' code), program entry is modified to point to the virus decryption code. File size will grow by 14xx bytes; size change can be observed with a DIR command (no stealth attempt made by virus). When virus first activates, it will try to read C:\CONFIG.SYS file and look for device drivers to infect. It checks EXE victims fo 'MZ' sig- nature, not for extension; therefore, any pro- gram loaded via 4B00 not having MZ signature is infected. File access during infection is via handle- oriented DOS functions. If victim is write- protected, it will NOT be infected since virus does not attempt to clear the file attribute if a request to OPEN for READ/WRITE fails. Self-Identification in files: Virus avoids multiple infections by checking: if difference between SS and SP fields in EXE header is =5Ch, then it assumes file already to be infected; otherwise, file will be infected now. System infection: Virus becomes memory resident when activated from a device, but when in an EXE file, it functions as a non-resident SYS infector. When running an infected EXE, it looks around for SYS files to infect, but does not go resident. When booting with an infected SYS file in CONFIG.SYS, it goes resident and infects EXE files that are executed. Self-Identification in memory: ? |
| Infection Technique: | |
| Infection Trigger: | Execution of infected EXE files or booting from an infected SYS (see System infection). |
| Storage Media affected: | Disks |
| Interrupts hooked: | INT 21h via direct access to IVT; checks for AX = 4B00, LOAD/EXEC request. |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent Damage: 1) On trigger conditions (see below), virus displays following message: "You have helped spread this virus This has been a message from your friendly neighborhood infection service. Thank you for your involuntary cooperation." 2) When having displayed the message, virus will overwrite the first 10 sectors of first FAT on C: using INT 26h (absolute disk write). Transient Damage: --- |
| Damage Trigger: | Permanent Damage: 14th day of every month Remark: David Chess reports a variant with trigger date = 19th any month. Transient Damage: --- |
| Particularities: | 1) This virus uses a crude 16-bit XOR type encryp- tion routine to evade identification. Encryp- tion key is obtained from BIOS timer (low word only). The decryption loop contains a bunch of NOPs for confusion. The general routine used for encryption is fixed; virus does not qualify for fully polymorphic. |
| Similarities: | --- |
Agents | |
| Countermeasures: | |
| Standard means: | Delete infected files and replace with clean ones |
Acknowledgements | |
| Location: | VDS Advanced Research Group, Baltimore, Maryland |
| Classification by: | Tarkan Yetiser |
| Documentation by: | Tarkan Yetiser (in Virus-L: August 26, 1992) David Chess IBM |
| Date: | 31-July-1993 |
| Information Source: | Virus-L (see authors) |
(c) 1996 Virus-Test-Center, University of Hamburg