| Alias: | |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | COM and EXE infector |
| Length: | NONE |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | All models |
| Computer model(s): | PC's |
| Caroname: | PS-MPC.Joshua |
Attributes | |
| Easy identification: | |
Type of Infection: | The virus appends itself to the files Selfrec on disk: File[1] == (word) COM_size-968 || EXE_SP == 5353h |
| Infection Technique: | |
| Infection Trigger: | Ext in {"EXE","COM"} && COM_name[5] != "ND" &&32768 > COM_size%64k > 0FB80h |
| Storage Media affected: | |
| Interrupts hooked: | 24 |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | - |
| Encoding Method: | |
| Damage: | Transient: - Permanent: - |
| Damage Trigger: | Transient: - Permanent: - |
| Particularities: | The virus is not memory resident. Displayed text: (enclosed in box graphic characters instead of ascii)"+---------------------------------------- -----------+| Guess what ??? || You have been victimized by a virus!!! Do not || try to reboot your computer or even turn it || off. You might as well read this and weep! |+---------------------------------------------- -----+"; Encrypted Not displayed text: "[Joshua]"; Encrypted The wrong conditional is used in testing the size of COM files.The intended maximum COM filesize would seem to have been 0FB80h.Infection is first tried in the current directory, and if that failsparent directories are tried all the way down to the root ifnecessary. In each directory, "EXE" is tried before "COM". |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Adam David, Frisk Software International |
| Documentation by: | Adam David, Frisk Software International |
| Date: | 20.6.93 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg