| Alias: | |
| Strain: | --- |
| detected when: | Early 1995 |
| where: | Japan |
| Classification: | File virus (COM+EXE infector), memory resident |
| Length: | 1,392 Bytes |
Preconditions | |
| Operating System(s): | MS-DOS > 2.00 |
| Version/Release: | |
| Computer model(s): | IBM PCs |
| Caroname: | New_Year |
Attributes | |
| Easy identification: | --- Self-recognition in memory: virus searches all DOS MCB chains, comparing 32 bytes at MCB:66h to Virus:56h}; INT 21/2080 -> AH==0 if not found by the compare operation. Self-recognition on disk: virus compares if File[EOF-4f6h..EOF-4d5] == Virus[56..75] |
Type of Infection: | File (COM,EXE) infector, appends itself to file. |
| Infection Technique: | |
| Infection Trigger: | Trigger conditions: Exec and FileLength>=1270 and LengthCOM!=3000 and LengthCOM<61440 and LengthEXE!=20669 and LengthEXE!=24657 and LengthEXE!=48288 and EXE_MinMem!=0 and EXE_MaxMem!=0 and EXE_Overlay==0 and LengthEXE==EXE_ImageSize and EXE_SP>=80h and EXE_SS>ProgramEnd |
| Storage Media affected: | files on disk/diskette |
| Interrupts hooked: | Int 21/4B00, Int 21/11, Int 21/12, Int 21/2080, Int 23, Int 24 |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient: Displays message: "Happy New Year"; text in virus is encrypted. Permanent: --- |
| Damage Trigger: | Transient: Upon executing an infected (COM,EXE) program on Jan.1.-3, every year. Condition: (Month = January) and (DayOfMonth < 4) and Exec Permanent: --- |
| Particularities: | 1) Although virus does intercept INT 21/11 and Int 21/12 (FindFirst/FindNext FCB), it does not conceal infected files size increase. 2) Potentially, stealth methods might be added in later variants. |
| Similarities: | --- |
Agents | |
| Countermeasures: | |
| Standard means: | Delete any infected files and replace them with their originals. |
Acknowledgements | |
| Location: | 1)Jade Virus Lab, Tokyo, Japan 2)VirusLab, S&S International |
| Classification by: | 1)Analysis: Hidenobu Takayanagi 2)CARObase entry: Dmitry O. |
| Documentation by: | 1+2) Hidenoby Takayanagi, Dmitry O. Gryaznov |
| Date: | 1+2) February 16, 1995 3) May 5, 1995 |
| Information Source: | Analysis of virus code |
(c) 1996 Virus-Test-Center, University of Hamburg