| Alias: | |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | COM-infector |
| Length: | NONE |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | All models |
| Computer model(s): | PC's |
| Caroname: | Kthulhu |
Attributes | |
| Easy identification: | |
Type of Infection: | The virus overwrites the beginning of the file, appending the overwritten part after the end of the file. Selfrec on disk: File[9] == 0FA8Bh || File[13] == 0FA8Bh |
| Infection Technique: | |
| Infection Trigger: | *.COM with "normal" attribute exists in current directoryAND File found by attribute mask 3Fh in current directory AND(258h < filesize%64k < 0EE48h) |
| Storage Media affected: | |
| Interrupts hooked: | |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | - |
| Encoding Method: | |
| Damage: | Transient: Write "Today is my birthday.", beep and wait for keypressbefore rebooting. Permanent: - |
| Damage Trigger: | Transient: Date == May_20th Permanent: - |
| Particularities: | The virus is not memory resident. Files are renamed to KTHULHU before infection. If an abnormalerror occurs at any stage during infection, the original filename isnot restored. In this case, file attribute or time/date may also havechanged and the line "!" is written to the screen. Displayed text: (Date == May_20th) "Today is my birthday."(May_1st <= Date <= May_19th) "IT is coming."(May_21st <= Date <= May_31st) "IT has gone." The infection signature (a 'mov di,dx' instruction tested for twice)suggests that there are at least 2 versions of this virus. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Adam David, Frisk Software International |
| Documentation by: | Adam David, Frisk Software International |
| Date: | 20.6.93 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg