| Alias: | |
| Strain: | Advent/Macho/Syslock family |
| detected when: | July 1989 (?) |
| where: | USA |
| Classification: | Program Virus (postfix) |
| Length: | 3550-3560 (dec) bytes appended on paragraph boundary |
Preconditions | |
| Operating System(s): | MS/PC-DOS |
| Version/Release: | 3.00 and upwards |
| Computer model(s): | All IBM PC compatibles. |
| Caroname: | SysLock.SysLock |
Attributes | |
| Easy identification: | Any string "MICROSOFT" is replaced with "MACROSOFT". |
Type of Infection: | The virus infects both COM and EXE files. EXE files: the virus checks the checksum in the EXE header for 7CB6h, in which case no infection will occure. COM files: are checked by looking for the string 39,28,46,03,03,01 (hex) at offset 10h. The virus is not RAM resident, therefore it will only infect when the host is run. It infects by searching through the directories on the current drive and randomly choosing files and directories to infect or search. It will not infect any other drive than the current one. It will infect COMMAND.COM. |
| Infection Technique: | |
| Infection Trigger: | Virus will infect any time it is run. |
| Storage Media affected: | All disks that are addressable using standard DOS functions. |
| Interrupts hooked: | --- |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Will replace any occurance of "MICROSOFT" with "MACROSOFT". It does this by using the DOS (not BIOS) interrupts 25h and 26h, and searching the disk from beginning to end, sector by sector. It tries 20h sectors at a time, and stores the last sector infected in the file "\DOS\KEYB.PCM", which is marked "system" and "hidden". After reaching the last sector, it will start from the beginning again. |
| Damage Trigger: | Every time the host is run, after 1-Jan-1985. |
| Particularities: | The virus checks for the environment variable "SYSLOCK=@" (therefore its name), in which case it will not infect. The virus is encrypted using a variable key. The functions of DOS interrupts 25h and 26h have been changed in DOS 4.0. |
| Similarities: | See Macho virus documentation |
Agents | |
| Countermeasures: | Use the environment variable described above as a first aid measure only. Here's one of the few strings that can safely be searched for: 50,51,56,BE,59,00,B9,26,08,90,D1,E9,8A,E1, 8A,C1,33,06,14,00,31,04,46,46,E2,F2,5E,59 This string will however identify Advent and Macho as well. - ditto - successful.. For proper treatment, my antivirus "NTISYSL" is highly recommended (in all humility). Treatment by hand is very tedious and only for experts. |
| Standard means: | Booting from a write-protected disk and restoring all COM and EXE files from the original disks is the only way. |
Acknowledgements | |
| Location: | Virus Test Center, University of Hamburg, FRG |
| Classification by: | Morton Swimmer |
| Documentation by: | Morton Swimmer |
| Date: | 1-Dec-1989 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg