Dudley Virus

Alias:
Strain:
detected when:
where:
Classification:Polymorphic File (COM,EXE) Infector,Memory res.
Length:1.Length (Byte) on medium: 1153 Bytes (mod 16) 2.Length (Byte) in RAM: 4608 Bytes

Preconditions

Operating System(s):MSDOS
Version/Release:
Computer model(s):IBM PCs and compatibles
Caroname:No_Frills.Dudley

Attributes

Easy identification:None (polymorphic)

Type of Infection:

Self-Identification methods: File infection: infects COM and EXE files by appending itself. Self recognition in files: virus checks whether EXE_Checksum5045h or COM_start==7100h. System infection: becomes memory resident by TWIXT method. For self-recognition in memory, virus checks for a specific content in AX register upon invocation of INT 21.

Infection Technique:
Infection Trigger:Special values in registers upon INT 21 execution
Storage Media affected:
Interrupts hooked:INT 21 functions 4B00h, 3Dh, 56h, 6Ch, 5454h
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:Permanent Damage: none Transient Damage: none
Damage Trigger:Permanent Damage: none Transient Damage: none
Particularities:1) Virus contains a text which is not displayed: "<[Oi Dudley!][PuKE]>" 2) Virus contains code that attempts to avoid infecting a file with name ????SC??.???, but it has a bug.
Similarities:---

Agents

Countermeasures:Not tested
Standard means:

Acknowledgements

Location:IBM High Integrity Computing Lab, Hawthorne N.Y.
Classification by:David Chess, HICL
Documentation by:David Chess (CAROBase entry) Klaus Brunnstein, VTC Hamburg (
Date:March 10, 1993
Information Source:Reverse analysis of virus code

(c) 1996 Virus-Test-Center, University of Hamburg