| Alias: | |
| Strain: | |
| detected when: | |
| where: | |
| Classification: | File Virus (EXE, COM infector), memory resident |
| Length: | 1.Length on storage media: 1740 Bytes (appended) 2.Length in memory: 3082 Bytes |
Preconditions | |
| Operating System(s): | MSDOS |
| Version/Release: | Release 2.x and above |
| Computer model(s): | IBM compatibles |
| Caroname: | Nguyen |
Attributes | |
| Easy identification: | 1) Texts "Hacker: NGUYEN HIEU VINH" and "South of Viet Nam" can be found near end of an in- fected file ($200 bytes offset approx). 2) Infected files have date/time: 8.8.88, 8.08. 3) If virus is resident, chkdsk or mem will report 3082 bytes less total memory than expected. |
Type of Infection: | EXE-files: standard ways of infecting EXE-files. COM-files: standard appending method. |
| Infection Technique: | |
| Infection Trigger: | Virus will become resident when an infected program is executed. After becoming resident, every file executed via INT 21, AH=4B (Load and Execute) will be infected. |
| Storage Media affected: | |
| Interrupts hooked: | INT 21, INT 24 (only during infection), INT 1C (see particularities). |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent Damage: If file is created or opened to Read Only, depending on random choice, virus overwrites file from beginning with text "Hacker: NGUYEN HIEU VINH |
| Damage Trigger: | Permanent Damage: Creating or opening a file with Read-Only attribute will trigger the damage function when virus is resident. Permanent/Transient Damage: given number of infections AND detection of files starting with "AV", "VD" and "LF". Transient Damage: Given number of infections. |
| Particularities: | 1) The file date/time stamp is used as infection flag, with Date/Time=8.8.88, 8.08 indicating infection by this virus. 2) After a given number of total infections, if a file is executed whose name starts with "AT", "VD","LF" it's execution will be denied; this may be intended as attack on some AV soft- ware. Then a message will be written that you should not use "ATV, VDW and LF to kill me!!!". Virus also seems to trash INT 1B vector on this occasion (ctrl-break-check). 3) After a given numbers of total infection, virus will additionally hook INT 1C and after some time will display the text "DBSoft-Do…n Th…n T£ l… 1 ke tr“m cap software. He's a pro- fessional thief..." on screen's first line (writing directly to the screen, not caring about the actual videomode). 4) Infected files will be shown with their normal length in a directory if virus is resident. 5) Virus does not check length of COM files before infection, which may result in COM files with length > 64 kBytes which cannot be executed after infection. |
| Similarities: | --- |
Agents | |
| Countermeasures: | At publication time, no AV product detects or clean this virus successfully. |
| Standard means: | Delete and replace infected files. |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, Germany |
| Classification by: | Toralv Dirro |
| Documentation by: | Toralv Dirro |
| Date: | 31-July-1993 |
| Information Source: | Reverse analysis of virus code |
(c) 1996 Virus-Test-Center, University of Hamburg