| Alias: | 4711, 765 |
| Strain: | |
| detected when: | --- |
| where: | --- |
| Classification: | Program virus, resident COM infector |
| Length: | 765 bytes added to COM files |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | 2.0 and up |
| Computer model(s): | Any IBM-compatibles |
| Caroname: | Perfume.765.B |
Attributes | |
| Easy identification: | Contains in one version the following strings: "G-VIRUS V2.0",0Ah,0Dh, "Bitte gebe den G-Virus Code ein : $" |
Type of Infection: | The virus makes itself resident and intercepts INT 21 upon subfunction 4Bh (load+execute); virus TSR tries to infect the loaded file by appending itself to it. Infectable files have extension COM and are less than FC00h (64512d) bytes long. |
| Infection Technique: | |
| Infection Trigger: | Loading of a file triggers infection mechanism. |
| Storage Media affected: | |
| Interrupts hooked: | INT 21 |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | A password is demanded after an infected file has been invoked more than 80 times. Initial message is the first string given above. If the given password is not "4711" (name of a well known German perfume), the virus will display the second message and terminate the program. In the hacked version of the virus, all messages have been zeroed out including the termination characters ("$") which causes the virus to output its code as text till the first $-character. Also the input buffer size for the password iterrogation has been zeroed which causes unpredictable results upon entry of too many characters. |
| Damage Trigger: | |
| Particularities: | Under a rare circumstance, the virus can produce a variant of itself which won't be able to identify itself and thus will infect a file more than once; this is one of several bugs in the virus. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Micro-BIT Virus Center RZ Universitaet Karlsruhe |
| Classification by: | Christoph Fischer |
| Documentation by: | Christoph Fischer |
| Date: | 14-April-1990 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg