Reverse.A

Alias:	Red_Spider
Strain:	Reverse strain
detected when:
where:
Classification:	COM and EXE infector, resident
Length:	61 paragraph(s)
Preconditions
Operating System(s):	MS-DOS
Version/Release:
Computer model(s):	PC's
Caroname:	Reverse.A
Attributes
Easy identification:
Type of Infection:	Appending, uses DOS file length to position virus. COMMAND.COM: The virus overwrites a constant data area of the file. Bootsector infection. Selfrec in memory: INT 21h/DCBAh => AX=ABCDh Selfrec on disk: File[12h..13h] {checksum in .EXE files} = ABCDh
Infection Technique:
Infection Trigger:	Load&Exec, FileOpen, GetSetAttrib, RenameINFECTION_CRIT: Filelength >= 2000,COMlength < 63500,EXElength <= 512K,EXEloadSize = EXEfileSize,Filename <> "NCMAIN.EXE",File[2Ch..2Fh] <> "Sell"
Storage Media affected:
Interrupts hooked:	INT 21h/4B00h, 21h/43h, 21h/56h, 21h/3Dh, 21h/DCBAh,23h (during infection), 24h (during infection)
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:	Transient: None Permanent: None
Damage Trigger:	Transient: None Permanent: None
Particularities:	shrinks the current MCB, and creates a new MCB in the released space - copying the original MCB marker. None Not displayed text: "Red Spider Virus created by Garfieldfrom Zielona Gora in Feb 1993","moc.dnammoc","exe.niamcn" (all encrypted) A regular fast infector with one point of interest:when infecting COMMAND.COM, the virus writes its bodystarting not at the end of the file but at a point3C0h bytes back from the end of the file, where mostversions of COMMAND have a bunch of zero bytes.Under DOSes such as DR-DOS 6.0, where COMMAND.COM isactually as misnamed .EXE file, such infection is abad idea.
Similarities:
Agents
Countermeasures:
Standard means:
Acknowledgements
Location:	Virus Test Center, University Hamburg, FRG
Classification by:	Paul Ducklin
Documentation by:	Paul Ducklin
Date:
Information Source:	Caroentry (autom.converter by S.Freitag)

Reverse.A

Preconditions

Attributes

Agents

Acknowledgements