Keypress Virus

Alias:
Strain:---
detected when:
where:
Classification:FILE (COM&EXE) infector, resident
Length:77 paragraph(s)

Preconditions

Operating System(s):MS-DOS
Version/Release:None
Computer model(s):PC's
Caroname:Keypress.1232.A

Attributes

Easy identification:

Type of Infection:

Appending,uses DOS file length to position Virus Selfrec in memory: memw[0:600h] = 01h 00h Selfrec on disk: file[14h..15h] = 33h 01h {InitialIP = 113h} and file[0Ch..0Dh] = 00h 00h {MaxParAlloc = 0 } (EXE), Compares file[4h..Fh] (COM).

Infection Technique:
Infection Trigger:INT 21h/4B00h INFECTION_CRIT: FileExtension = "COM" or FileExtension = "EXE", COMlength > 1216 and COMlength < 64065.
Storage Media affected:
Interrupts hooked:INT 21h/4B00h,INT 08h,INT 23h (during infection), INT 24h (during infection)
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:---
Encoding Method:
Damage:Transient: Keyboard interference Permanent: ---
Damage Trigger:Transient: In a 2-second window every 10 minutes after activation. Permanent: --
Particularities:- Only shrinks current MCB if it is a 'Z' block. (Only leaves a mess if there is another chain of MCBs, eg for UMBs). - Once resident, virus sits on User Timer Tick (INT 1Ch) and counts the time since activation. Every 10 minutes, for 2 seconds (ie: 37 ticks), an INT 09h (hardware keyboard make-or-break) is issued. The effect of this is to cause the keyboard handler to be called even though no key was pressed, so that the keyboard appears to malfunction.
Similarities:---

Agents

Countermeasures:F-Prot
Standard means:Delete the infected files and replace them from a backup

Acknowledgements

Location:CSIR South Africa
Classification by:Paul Ducklin
Documentation by:Paul Ducklin
Date:03-January-1995
Information Source:CaroBase entry, converted S.Freitag VTC Hamburg

(c) 1996 Virus-Test-Center, University of Hamburg