| Alias: | |
| Strain: | |
| detected when: | July, 1992 |
| where: | Sofia, Bulgaria |
| Classification: | Memory resident, appending, COM file infector |
| Length: | 234 bytes |
Preconditions | |
| Operating System(s): | PC/MS-DOS. Uses several undocumented and version- dependent |
| Version/Release: | Works under PC-DOS 3.30. Haven't checked for other versions. |
| Computer model(s): | Any MS-DOS computer |
| Caroname: | Junior |
Attributes | |
| Easy identification: | --- |
Type of Infection: | Any executable file, the first 2 bytes of which are not 'MZ' or 0C4h. Virus is appended to file. |
| Infection Technique: | |
| Infection Trigger: | Execution of a file. |
| Storage Media affected: | Any storage media with MS-DOS compatible file system. |
| Interrupts hooked: | INT 78h, 21h, 24h (only during infection), INT 13h (only during infection, and only if it is not already intercepted). |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | --- |
| Damage Trigger: | --- |
| Particularities: | The virus traps INT 21h/AX=4B00h in a very unusual way. It puts an INT 78h instruction at TerminateAddress-2 and intrcepts INT 78h itself. |
| Similarities: | --- |
Agents | |
| Countermeasures: | --- |
| Standard means: | Delete infected files, restore clean copies. |
Acknowledgements | |
| Location: | Virus Test Center, University of Hamburg, Germany |
| Classification by: | Vesselin Bontchev |
| Documentation by: | Vesselin Bontchev |
| Date: | 10-August-1992 |
| Information Source: | Reverse analysis of virus code |
(c) 1996 Virus-Test-Center, University of Hamburg