| Alias: | Saddam Virus |
| Strain: | |
| detected when: | 1-October-1989 |
| where: | BBS in Israel |
| Classification: | COM file infecting virus/extending, resident. |
| Length: | 919 bytes appendend (CBh+2CCh) |
Preconditions | |
| Operating System(s): | |
| Version/Release: | |
| Computer model(s): | IBM PC,XT,AT and compatibles |
| Caroname: | Stupid.919.Quiet.A |
Attributes | |
| Easy identification: | Memory: INT 6Bh points to original INT 21h. (see Particularities [4]) .COM files: The encryped message; to decrypt the string, add 6 to each char, the terminat- ing char is 24h before adding 6. The name of the infected file is stored with the virus. (name is stored at infection time; later renaming will not be recognized!) |
Type of Infection: | System: The virus copies itself to high memory at the adress [0:413]*40h-867h. The virus does not diminish the memory size by what is written in [0:413], nor will DOS regard that area as used; therefore, big programs may hang-up the system. .COM files: Extends .COM files; appends 919 bytes to the end of the file. .EXE files: Not infected. |
| Infection Technique: | |
| Infection Trigger: | Several file services of INT 21h |
| Storage Media affected: | |
| Interrupts hooked: | INT 21h, INT 6Bh. |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Displays the message: "HEY SADAM"{LF}{CR} "LEAVE QUEIT BEFORE I COME" (wrong syntax) |
| Damage Trigger: | Counts the number of infections; on every 8th infection, the string will be displayed. |
| Particularities: | 1. Many programs load themself to this area and therefore erase the virus from memory. 2. The virus uses INT 6BH replacement for the original INT 21H. 3. The virus infects just files in the current directory. 4. If the disk is write-protected, the message from DOS about write protection will be dis- played when the virus tries to spread. 5. The virus will not be able to change files that have the Read-Only attribute set. |
| Similarities: | |
Agents | |
| Countermeasures: | F-Prot 1.13 RESIDENT PART ONLY: identifies the virus as The Stupid Virus and does not let the program get into memory. |
| Standard means: | |
Acknowledgements | |
| Location: | |
| Classification by: | Baruch Even (NYEVENBA@WEIZMANN.BITNET) Matthias Jaenichen, V |
| Documentation by: | Matthias Jaenichen, VTC-Hamburg |
| Date: | 5-October-1990 |
| Information Source: | --- |
(c) 1996 Virus-Test-Center, University of Hamburg