Dec_Year Virus

Alias:	Last_Year, Last_Year.604
Strain:
detected when:
where:
Classification:	File virus(appending COM infector),memory resident
Length:	1.Length (Byte) on storage medium: 604 Bytes 2.Length (Byte) in RAM: 880 Bytes
Preconditions
Operating System(s):	MSDOS
Version/Release:
Computer model(s):	IBM PCs and compatibles
Caroname:	Last_Year
Attributes
Easy identification:	---
Type of Infection:	Self-Identification methods: File infection: infects COM files by appending it's code. For self-identification, tests whether 4th and 5th byte is "88 31". System infection: virus makes itself memory resident via TWIXT method. For self-identi- fication, virus checvks whether 2 bytes before the byte that the INT21 vector points to are "61 6D". Can therefore load more than once if another INT21-hooker intervenes.
Infection Technique:
Infection Trigger:	Finding an executable file and if DS:DX ends in "COM".
Storage Media affected:
Interrupts hooked:	Int 21: functions 4B, 0A, 2A
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:	Permanent Damage: none Transient Damage: INT21 handler subtracts one from the year on INT21/2A (Get Date) calls.
Damage Trigger:	Permanent Damage: none Transient Damage: Always
Particularities:	1) No side effects, except transient damage and usual MCB-munging due to TWIXT method. 2) Virus code is rather explicit in handling (ignoring) write-protect errors in INT 24 handler but coding of INT 21 handler shows some unused flag; potentially more variants are intended.
Similarities:	---
Agents
Countermeasures:	Not tested
Standard means:
Acknowledgements
Location:	IBM High Integrity Computing Lab, Hawthorne N.Y.
Classification by:	David Chess, IBM HICL
Documentation by:	David Chess, IBM HICL (CAROBase entry) Klaus Brunnstein, VTC
Date:	June 24, 1993
Information Source:	Reverse analysis of virus code

Dec_Year Virus

Preconditions

Attributes

Agents

Acknowledgements