| Alias: | LieWait, _1413 |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | COM-infector, resident |
| Length: | 1760 { 6EH paragraph(s) } |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | DOS >= 2.0 |
| Computer model(s): | PC's |
| Caroname: | KYZ |
Attributes | |
| Easy identification: | |
Type of Infection: | The virus appends itself to the files Selfrec in memory: INT 21;AH=3F;BX=FEB0 -> BX=1212 Selfrec on disk: File[EOF-2] = FEB0 |
| Infection Technique: | |
| Infection Trigger: | Exec and COM |
| Storage Media affected: | |
| Interrupts hooked: | 21/4B00, 21/3F, 21/0A, 09, 24 { temporarily } |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | - |
| Encoding Method: | |
| Damage: | Transient: The virus steals Novell users' IDs and passwords byintercepting keyboard input via INT 09 and sendsthe data stolen via network to the IPX internetwork addressnet: 05 00 00 00, node: FF FF FF FF FF FF, socket 44 44 Transient: When a specific command (namely "kkyyzz") is entered at theDOS prompt, the virus disactivates itself: restores theinterrupts intercepted and frees the memory allocated.An empty input line is returned to the caller. I.e. ifthe virus is active in memory, typing in kkyyzz at theDOS prompt results in just the DOS prompt redisplayedwith no "Bad command or file name" message, as if |
| Damage Trigger: | Transient: Exec && (FileName = *LI.EXE) &&(NumberOfCharactersEntered >= 41) Transient: The line "kkyyzz" entered via INT 21/0A (Buffered String Input) Permanent: - |
| Particularities: | { Maybe, TRANSIENT_DAMAGE could be moved here }The virus uses low-level IPX functions via far callsto the IPX dispatcher (the address returnedby INT 2F/AH=7A00 -> ES:DI ) to send the ID and passwordstolen.User input is fetched from within INT 09 virus handler fromBIOS keyboard buffer.The suggested virus name KYZ is based on itsself-disactivating command kkyyzz. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Dmitry O. Gryaznov |
| Documentation by: | Dmitry O. Gryaznov |
| Date: | 1994-06-27 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg