| Alias: | |
| Strain: | |
| detected when: | |
| where: | |
| Classification: | Memory-resident Program Infector (COM) |
| Length: | COM-files: 488 Bytes |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | Version 3.30 (all other versions crash) |
| Computer model(s): | IBM-PC, XT, AT and compatibles |
| Caroname: | LoveChild |
Attributes | |
| Easy identification: | The text "(c) Flu Systems (R)" and "LoveChild in reward for software sealing.." can be found at the end of infected COM-files as well as in memory at the adress 0:1e0. |
Type of Infection: | The virus appends itself to the end of COM-files; first 3 bytes are saved und used for it's identification-byte ($fb) and a jump; these will be restored after execution of virus. |
| Infection Technique: | |
| Infection Trigger: | Execution of an infected program. |
| Storage Media affected: | |
| Interrupts hooked: | INT 21, functions 4b (open/execute) 3d (open with handle) 56 (rename) 3c (create file) 40 (write to file) are used to infect com-files and for the effects (see: particularities). |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | 1) If an EXE-file is write-accessed (INT 21, ah=40), virus reads a random number and some- times rewrites the file with a trojan horse. If the trojan is executed, it will write gar- bage to harddisk on first four heads, star- ting with track 0 and continuing until reset! (for description of the trojan: see Virus Catalog entry of LoveChild Trojan) 2) If a file is created (INT 21,ah=3c), virus sometimes (randomly) decides to call INT 21, ah=39, thus creating a subdirctory instead. 3) If a file which is not a COM-file is opened, renamed or executed (ah=3d/56/4b), virus sometimes (randomly) calls INT 21, ah=41, thus deleting the entire file. Transient damage: --- |
| Damage Trigger: | 1) Any Write-to-a-file operation (e.g. copying) 2) Create-a-file operation 3) Open or execute non-COM-files or rename file. A random number is used to decide wether to per- form the respective damage or not. |
| Particularities: | Due to an error in the virus, it will crash on all versions other than MS-DOS 3.30; this is probably due to unsufficient testing; change of one byte only allows virus to run on all DOS versions available. On MS-DOS 3.30, the virus rewrites INT 13; there- fore, any protection-software hooking INT 13 is deactivated. Virus doesn't hook INT 21 directly; it tries to hide, by installing a jump to itself within the INT 21-routine. On other DOS-versions, virus hooks INT 21 vec- tor, but the INT 13 vector is not affected. The virus can always be found at adress 0:1e0 in memory, the entry is 0:2cd. |
| Similarities: | --- |
Agents | |
| Countermeasures: | Clean v80 by McAfee removes virus, as well as LOVEKILL.EXE by Toralv Dirro. |
| Standard means: | Delete infected files, copy uninfected versions from original write-protected disk. |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, Germany |
| Classification by: | Toralv Dirro, Gerald Schrod |
| Documentation by: | Toralv Dirro, Gerald Schrod |
| Date: | 15-July-1991 |
| Information Source: | --- |
(c) 1996 Virus-Test-Center, University of Hamburg