Runtime Virus

Alias:Runtime-err412
Strain:---
detected when:July 1993
where:USA
Classification:File virus (COM, COMMAND.COM infector)
Length:1.Length (Byte) on media: 365 Bytes 2.Length (Byte) in RAM: 0 (not memory resident)

Preconditions

Operating System(s):MSDOS
Version/Release:MSDOS >= 3.0
Computer model(s):IBM PCs and Compatibles
Caroname:RunTime

Attributes

Easy identification:Text in virus code: "Runtime error 412"

Type of Infection:

File infection: virus infects COM files, including COMMAND.COM. To hide itself against detection (stealth), it restores original time and date stamps to files after infection. Self-Identification in files: code intends to check for initial NEAR CALL (0eh), doesnot work. System infection: not memory resident. Self-Identification in memory: ---

Infection Technique:
Infection Trigger:Upon execution of an infected file
Storage Media affected:Disk and diskette
Interrupts hooked:None
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:Permanent Damage: no intended permanent damage. Side effect: Uncontrolled file growth due to multiple infections. Transient Damage: 1) Hangs system occasionally on trigger conditions. 2) Displays message "Runtime error 412" followed by possible garbage.
Damage Trigger:Permanent Damage: --- Transient Damage: 1) On Fridays before 11:00 AM if clock @ 40:06Ch >0b0h. 2) Execution of infected file.
Particularities:Virus cannot infect read-only files.
Similarities:---

Agents

Countermeasures:At publication date, virus was not detected by tested scanners (VIRx,McAfee's Scan,F-Prot, IBM anti-virus, and TBscan602).
Standard means:Delete infected files and replace with clean ones.

Acknowledgements

Location:Stiller Research, Tallahassee Florida
Classification by:Wolfgang Stiller
Documentation by:Wolfgang Stiller (CAROBase entry) Klaus Brunnstein (Virus Ca
Date:6-July-1993
Information Source:Reverse analysis of virus code

(c) 1996 Virus-Test-Center, University of Hamburg