| Alias: | |
| Strain: | --- |
| detected when: | Summer 1993 |
| where: | Melbourne, Australia |
| Classification: | File virus (COM infector), memory resident, variably encrypt |
| Length: | 1.Length (Byte) on media: 971 Bytes 2.Length (Byte) in RAM: 2016 Bytes |
Preconditions | |
| Operating System(s): | MSDOS |
| Version/Release: | |
| Computer model(s): | IBM PCs and Compatibles |
| Caroname: | Skater.1021 |
Attributes | |
| Easy identification: | Virus is variably encrypted, no signature possible (after decryption, text may be identified) |
Type of Infection: | File infection: COM files are infected upon opening (INT 21/3D) or loading for execution (INT 21/4B), if not too short (<50) or too long (>64,303). Upon detecting an yet uninfected COM file with proper size, virus appends it's code at the end and restores date, time and attributes previously saved. Length of COM files increase by 971 bytes. Self-Identification in files: Stealth: Virus is variably encrypted. Virus inter- cepts DOS functions OpenFile and Load&Execute, and it saves date&time attributes, to avoid detection. System infection: When an infected COM file is executed, virus after decryption first tries to make itself memory resident, using a non- standard DOS function; if not yet resident, virus loads itself to top-of-memory, reducing available memory by 2016 bytes. Self-Identification in memory: checking register value of an undocumented DOS function. |
| Infection Technique: | |
| Infection Trigger: | Executing an infected file, or (when virus is memory resident) invoking DOS functions Open File or Load&Execute, as long as 50 |
| Storage Media affected: | |
| Interrupts hooked: | INT 21/3D (OpenFile), INT 21/4B (Load&Execute) |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent Damage: No intended permanent damage Transient Damage: Following text is displayed at screen's bottom, with nominal height of screen reduced to 21 lines (with an unusual screen function), so that this message re- mains at screen's bottom also upon scrolling: "I love Tonya Harding, The best womens Figure Skater in history. Now Tonya, Do that triple axle and kick Kristi Yamaguchi's arse - Australian Parasite -" |
| Damage Trigger: | Permanent Damage: --- Transient Damage: Upon each invocation of INT 21, a counter is incremented; if this reaches 30,000, the display is triggered. |
| Particularities: | The message contains many names which may cause different names choosen from some AV authors (most probably "Australian Parasite"). |
| Similarities: | --- |
Agents | |
| Countermeasures: | |
| Standard means: | Delete infected files and replace with clean ones. |
Acknowledgements | |
| Location: | CYBEC Pty, Hampton Victoria/Australia |
| Classification by: | Roger Riordan (riordan.cybec@mhs.oz.au> |
| Documentation by: | Roger Riordan Klaus Brunnstein (CVC entry) |
| Date: | 31-July-1993 |
| Information Source: | Analysis of Virus |
(c) 1996 Virus-Test-Center, University of Hamburg