| Alias: | |
| Strain: | Skew strain |
| detected when: | |
| where: | |
| Classification: | COM-infector, resident |
| Length: | 458 |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | All models |
| Computer model(s): | PC's |
| Caroname: | Skew.458 |
Attributes | |
| Easy identification: | |
Type of Infection: | The virus appends itself to the files Selfrec in memory: [0:200]-[0:201] = E9,10 Selfrec on disk: File[2] = FFFF |
| Infection Technique: | |
| Infection Trigger: | ( Exec or ( Open and FileName = *.com { lower case } ) )and FileLength>2048 |
| Storage Media affected: | |
| Interrupts hooked: | 21/4B, 1C, 24 |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | - |
| Encoding Method: | |
| Damage: | Transient: - Permanent: - { see COMMENTS } |
| Damage Trigger: | Transient: - Permanent: - { see COMMENTS } |
| Particularities: | The virus resides in the interrupt vector table. The virus resides at the memory address: 0:200 The virus was intended to have a PERMANENT_DAMAGE,even two: a) when a file with an extension differentfrom '.com' (case sensitive!) is being opened, thevirus checks its internal counter and if it is less than32567 overwrites one byte at offset 2 in the file;b) when an EXE file is being opened/executed the viruschecks its internal counter and if it is less than 1000trashes drive C: via INT 26 - first 9 sectors (Boot andFAT) are overwritten.However, the internal counter is set to FFFF and is neverchanged - so, the virus never triggers. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Dmitry O. Gryaznov |
| Documentation by: | Dmitry O. Gryaznov |
| Date: | 1994-01-17 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg