| Alias: | |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | EXE-infector |
| Length: | 679 |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | Cannot work as is, unless a really contorted Int21 handler i |
| Computer model(s): | PC's |
| Caroname: | PS-MPC (ARCV-8) |
Attributes | |
| Easy identification: | |
Type of Infection: | The virus appends itself to the files Selfrec on disk: Initial_SP == 2B2Bh |
| Infection Technique: | |
| Infection Trigger: | (search current directory including system and hidden files) |
| Storage Media affected: | |
| Interrupts hooked: | (24) (see COMMENTS: ) |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | the virus uses variable encryption with a variable decryptor, but the decryptor can be detected with a wildcard string. |
| Encoding Method: | |
| Damage: | Transient: - Permanent: - |
| Damage Trigger: | Transient: - Permanent: - |
| Particularities: | The virus is not memory resident. The virus uses a special coding style to fool most disassemblers. The virus disables INT 1 and INT 3. The virus uses INT3 for some of its functions (???) Displayed text: "Naughty, Naughty... ARCV Productions Ltd."; Encrypted Not displayed text: "Apache Warrior, ARCV Pres."; Encrypted The virus patches its code to install the Int24 handler so that itsimply terminates instead via Int21;ax=4C00. If it doesn't terminate,the code to find the first *.exe file is patched so that it writes Displayed text: to the screen instead. If it ever gets to actuallyinfecting a file, the code to patch the EXE header is patched so that aHLT and an INT3 instruction is executed instead. There is no Int3handler installed by the virus. If it ever gets round to appending thevirus to the file, the virus is first patched back to its previouscondition (before it patched itself). None of the obfuscation of arcv-5or arcv-7 is present. All the patches except the restoral of theoriginal virus are done by code inserted immediately before each patchlocation. |
| Similarities: | PS-MPC (ARCV-7), PS-MPC (ARCV-5), PS-MPC (ARCV-1) |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Adam David, Frisk Software International |
| Documentation by: | Adam David, Frisk Software International |
| Date: | 22.7.93 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg