| Alias: | |
| Strain: | |
| detected when: | Summer 1993 |
| where: | Sydney University, Australia |
| Classification: | File virus (COM,EXE infector), memory resident, limited stea |
| Length: | 1.Length (Byte) on media: 1465 Bytes 2.Length (Byte) in RAM: |
Preconditions | |
| Operating System(s): | MSDOS |
| Version/Release: | |
| Computer model(s): | IBM PCs and Compatibles |
| Caroname: | Little_Red |
Attributes | |
| Easy identification: | |
Type of Infection: | File infection: Virus infects all files loaded by DOS function 4B ("Load & Execute"), and one COM or .EXE file on each DIR command. Virus in- creases length of infected files by 1465 bytes. This increase in length is hidden from DIR, but programs which use DOS functions 4E & 4F will reveal the change in length. Top of memory is set down from A000 to 9F30. Encryption: two small sections of virus are en- crypted, using a fixed key (easy to detect). Self-Identification in file: System infection: upon starting an infected file, virus makes itself memory resident. Self-Identification in memory: virus uses DOS function 30 (get version) for self-recognition, and returns a particular value if resident. |
| Infection Technique: | |
| Infection Trigger: | Starting an infected program. |
| Storage Media affected: | Disk |
| Interrupts hooked: | |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent Damage: No intended permanent damage. Side effects: during test, author experienced damage of COMMAND.COM, thus preventing booting. Transient Damage: no visible messages, but virus contains 2 tunes, with separate trogger: 1) A song named after the town where Mao Tse Tung was born, and 2) a Chinese patriotic song called Dong Fong Hong (or Mao's song); 3) Virus slows systems (disk activities). |
| Damage Trigger: | Permanent Damage: --- Transient Damage: Both tunes are played on a given day, from 1994 onward, starting one hour after virus' activation and then played continously. Date trigger conditions: 1) Tune #1 played on each December 26, from 1994 onward; this is Mao's birthday where it is traditionally sung in China; 2) Tune #2 is played on September 9th, from 1994; on this day, Mao died. |
| Particularities: | Virus author has gone to some trouble to try to make virus inconspicuous until Sept 1994, but the decision to check files accessed by DOS functions 11 & 12 (the old style Find first and find next, used by DIR) causes obvious additional disk activity. In a test on an XT, it took over 5 secs to do a DIR of a disk with 21 files, all infected, whereas this took only 2.1 secs when virus was not active. |
| Similarities: | --- |
Agents | |
| Countermeasures: | |
| Standard means: | Delete infected files and replace with clean ones |
Acknowledgements | |
| Location: | CYBEC Pty, Hampton Victoria/Australia |
| Classification by: | Roger Riordan (riordan.cybec@mhs.oz.au> |
| Documentation by: | Roger Riordan Klaus Brunnstein (CVC entry) |
| Date: | 31-July-1993 |
| Information Source: | Analysis of Virus |
(c) 1996 Virus-Test-Center, University of Hamburg