| Alias: | Shira-2048, 2Kb |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | COM and EXE infector, resident |
| Length: | 8336 |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | |
| Computer model(s): | PC's |
| Caroname: | Shira |
Attributes | |
| Easy identification: | |
Type of Infection: | COM: The virus overwrites the beginning of the file, appending the overwritten part after the end of the file. EXE: Appending, uses DOS file length to position virus. Selfrec in memory: {If the virus is resident and an INT21/1900 happens,it compares the caller with itself, and if it's the virus callingit passes control back to the host rather than the virus. Sowhen the virus runs it first does an INT21/1900, which doesn'treturn if the virus is already resident.} INT21/1900 => runs host Selfrec on disk: 0x28 words at start (COM) or end-2048 (EXE) == virus startupcode. |
| Infection Technique: | |
| Infection Trigger: | (INT21/4B00) and (Length>2048) |
| Storage Media affected: | |
| Interrupts hooked: | 21/11, 21/12, 21/4e, 21/4f, 21/4b00, 21/19, 09, 1C |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | - |
| Encoding Method: | |
| Damage: | Transient: - Permanent: - |
| Damage Trigger: | Transient: - Permanent: - |
| Particularities: | shrinks the current MCB, and creates a new MCB in the released space - copying the original MCB marker. If CapsLock and NumLock and ScrollLock and Insert are on,and control-alt-w is pressed, the virus will cause the system tobeep. Not displayed text: "Producted by Mr.Watshira Sae-eu KMIT-NB Date 12/28/1990 BIOS"; Encrypted The very odd coding style (routines tend to start at round offsetslike 0500, 0740, 0770, with zero padding in between) suggests thatthe virus may have been written by hand in DEBUG or something. TheINT1C (timer exit) handler is used to constantly re-encrypt a secondcopy of the virus with new keys, for no apparent reason (this secondcopy is used when infecting; perhaps it was the best random-numbergenerator the author could think of). The INT09 handler is usedto make c-a-w beep if all locks are on (hand test for infection!).This CAROBASE entry is hereby placed into the public domain. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | David M. Chess, HICL |
| Documentation by: | David M. Chess, HICL |
| Date: | 1994/04/13 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg