| Alias: | D2D, Tai_Pan.666, 666 |
| Strain: | Tai-Pan virus strain |
| detected when: | |
| where: | |
| Classification: | EXE-infector, memory resident |
| Length: | 720 bytes (=704 bytes code, 16 bytes for MCB) |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | All models |
| Computer model(s): | PC's |
| Caroname: | Tai-Pan.666 |
Attributes | |
| Easy identification: | --- |
Type of Infection: | File infection: Appends itself to file. Uses DOS file length to position virus. Selfrec in memory: INT_21;AX=7BCF -> AX=7BCF Selfrec on disk: EOF - Entry point = 666 |
| Infection Technique: | |
| Infection Trigger: | (Exec) and (MZ) and (LengthEXE <= 64768) and (entrypoint != filelength - 0x29A) |
| Storage Media affected: | disk/dikette |
| Interrupts hooked: | Int 21/4B00 (infection), Int 21/7BCF (selfID) |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | --- |
| Encoding Method: | |
| Damage: | Transient/Permanent: --- (no intentional damage) |
| Damage Trigger: | Transient/Permanent: --- |
| Particularities: | 1) Virus makes itself memory-resident via TSR. 2) Virus contains following texts (not displayed): "DOOM2.EXE","Illegal DOOM II signature", "Your version of DOOM2.EXE matches the illegal RAZOR release of DOOM2", "Say bye-bye HD", "The programmer of DOOM II DEATH is in no way affiliated with ID software.", "ID software is in no way affiliated with DOOM II DEATH." These texts are stored in the following manner: 'DOOM2.EXE', 0'Illegal DOOM II signature', 0Dh, 0Ah'Your version of DOOM2.EXE matches the illegal RAZOR release of DOOM2',0Dh, 0Ah, 'Say bye-bye HD' 0Dh, 0Ah, 'The programmer of DOOM II DEATH is in no way affiliated with ID software.', 0Dh, 0Ah, 'ID software is in no way affiliated with DOOM II DEATH.', 0Dh, 0Ah 3) Despite the text contained in the virus, it has no payload whatsoever; virus does nothing but spread. |
| Similarities: | Tai-Pan virus strain: see Tai-Pan.953 virus |
Agents | |
| Countermeasures: | AVP |
| Standard means: | Delete infected files and replace them with original program. |
Acknowledgements | |
| Location: | IBM High Integrity Computing Lab (HICL), NY/USA December 15, |
| Classification by: | Marian Kassovic, David M. Chess, IBM HICL |
| Documentation by: | Marian Kassovic, David M. Chess, IBM HICL |
| Date: | January 30, 1995 |
| Information Source: | CaroBase entry, converted: S.Freitag VTC Hamburg |
(c) 1996 Virus-Test-Center, University of Hamburg