| Alias: | Susan |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | EXE-infector |
| Length: | 864 |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | DOS>=3.30 (Bug: Checks for DOS 3.03) |
| Computer model(s): | PC's |
| Caroname: | Su |
Attributes | |
| Easy identification: | |
Type of Infection: | The virus overwrites part of the file, destroying it. Selfrec in memory: INT 2Fh;AX=010Fh -> AX=CS:[0103h]="Su" Selfrec on disk: FileTime.Seconds=1Fh |
| Infection Technique: | |
| Infection Trigger: | (A single "DIR" issued) and (FindFirst -> DTA=uninfected .EXE file) |
| Storage Media affected: | |
| Interrupts hooked: | 2F/10F, 2F/AE00, 2F/AE01 |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Virus overwrites part of the infected file on infection. Transient: None Permanent: Infected files are overwritten and destroyed. Permanent: Deletion of all files in current directory. |
| Damage Trigger: | Transient: None Permanent: See INFECTION_TRIGGER Permanent: 16 Infections since activation |
| Particularities: | None Displayed text: "Bad command or file name" Not displayed text: "Susan", "*.*", "*.EXE", "DIR" This virus does not hand control over to the infectedprogram; instead it terminates with the aforementionedmessage. It uses INT 21;AX=5D00h to delete files.The hooked interrupts (AH=0AEh) are reportedly calledby COMMAND.COM just before executing commands fromthe keyboard. |
| Similarities: | None |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Snorre Fagerland |
| Documentation by: | Snorre Fagerland |
| Date: | 1993-04-28 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg