| Alias: | |
| Strain: | |
| detected when: | Summer 1993 |
| where: | Australia (high school) |
| Classification: | File virus (COM,EXE infector), memory resident |
| Length: | 1.Length (Byte) on media: 1387 Bytes 2.Length (Byte) in RAM: |
Preconditions | |
| Operating System(s): | MSDOS |
| Version/Release: | |
| Computer model(s): | IBM PCs and Compatibles |
| Caroname: | Loren |
Attributes | |
| Easy identification: | |
Type of Infection: | needed to recover affected hard disks, Why? A low-level format is *only* necessary if the address mark info on the disc needs rewriting. Unless the virus actually botches the format of T0 H0 [perhaps by using weird sector numbers, non-standard sector sizes, silly interleave etc.] then simply rewriting the stuff there will always do. FDISK can do that; so can any sector editor. Anyway, if it only formats T0 H0, and cocks it up so it needs re- initialising, thecode to fake file size, so that DIR does NOT not reveal the increase in file length. Due to interception of INT 24, critical errors are not reported. An infected file's date, time & attributes are preserved, and R/O files are infected. Self-Identification in files: virus checks bytes 3 & 4 in COM files, which are set to 52 43 ('RC'); in infected EXE file, CRC field in header is set to sum of initial CS and IP fields plus 1b3. System infection: when an infected file is run, virus decodes a block containing the recovery information, and then issues INT 1. If virus is already active this is intercepted, and interrupt handler restores the file and runs it. Otherwise the virus reduces the size of last memory block by 60h paras, and copies itself to offset 40h in block thus reserved. Self-Identification in memory: test INT 1 values. |
| Infection Technique: | |
| Infection Trigger: | Execution of an infected file, and after infec- tion of memory, any use of INT 21 function 4B00 (Find First/Find Last), e.g. issuing a DIR command. |
| Storage Media affected: | |
| Interrupts hooked: | INT 21 functions 11, 12, 4B00, & B5; INT 24. |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent Damage: Upon trigger condition, virus attempts to format cylinder zero, head zero, on drive C. If this fails, virus then tries drives A, then B. If it succeeds in formatting any drive, it gives a message (see Transient Damage) and then resets the counter. Transient Damage: if virus succeeded in formatting any drive, it issues the message: "Your disk is formated by the LOREN virus. Written by Nguyen Huu Giap. Le Hong Phong School *** 8-3-1992" Then, the damage counter is set to zero. |
| Damage Trigger: | Permanent Damage: virus counts number of files infected after last boot; upon counter=20, Permanent Damage function is triggered. Transient Damage: this is triggered upon success- ful completion of the Permanent Damage. |
| Particularities: | 1) As damage counter is reset when virus is loaded into memory, damage function (payload) will only be triggered if 20 files are infected in a single session. This may easily be achieved using multiple DIRs. 2) Message (see Transient Damage) is encrypted. |
| Similarities: | --- |
Agents | |
| Countermeasures: | |
| Standard means: | Delete infected files and replace with clean ones. |
Acknowledgements | |
| Location: | CYBEC Pty, Hampton Victoria/Australia |
| Classification by: | Roger Riordan (riordan.cybec@mhs.oz.au> |
| Documentation by: | Roger Riordan Klaus Brunnstein (CVC entry) |
| Date: | 31-July-1993 |
| Information Source: | Analysis of Virus |
(c) 1996 Virus-Test-Center, University of Hamburg