| Alias: | |
| Strain: | |
| detected when: | |
| where: | |
| Classification: | Polymorphic File (COM,EXE) Infector,Memory res. |
| Length: | 1.Length (Byte) on medium: 1153 Bytes (mod 16) 2.Length (Byte) in RAM: 4608 Bytes |
Preconditions | |
| Operating System(s): | MSDOS |
| Version/Release: | |
| Computer model(s): | IBM PCs and compatibles |
| Caroname: | No_Frills.Dudley |
Attributes | |
| Easy identification: | None (polymorphic) |
Type of Infection: | Self-Identification methods: File infection: infects COM and EXE files by appending itself. Self recognition in files: virus checks whether EXE_Checksum5045h or COM_start==7100h. System infection: becomes memory resident by TWIXT method. For self-recognition in memory, virus checks for a specific content in AX register upon invocation of INT 21. |
| Infection Technique: | |
| Infection Trigger: | Special values in registers upon INT 21 execution |
| Storage Media affected: | |
| Interrupts hooked: | INT 21 functions 4B00h, 3Dh, 56h, 6Ch, 5454h |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent Damage: none Transient Damage: none |
| Damage Trigger: | Permanent Damage: none Transient Damage: none |
| Particularities: | 1) Virus contains a text which is not displayed: "<[Oi Dudley!][PuKE]>" 2) Virus contains code that attempts to avoid infecting a file with name ????SC??.???, but it has a bug. |
| Similarities: | --- |
Agents | |
| Countermeasures: | Not tested |
| Standard means: | |
Acknowledgements | |
| Location: | IBM High Integrity Computing Lab, Hawthorne N.Y. |
| Classification by: | David Chess, HICL |
| Documentation by: | David Chess (CAROBase entry) Klaus Brunnstein, VTC Hamburg ( |
| Date: | March 10, 1993 |
| Information Source: | Reverse analysis of virus code |
(c) 1996 Virus-Test-Center, University of Hamburg