| Alias: | 3066 |
| Strain: | Traceback |
| detected when: | June 1989 |
| where: | --- |
| Classification: | Program extending, RAM-resident |
| Length: | .COM and .EXE files increased by 3066 bytes. |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | 2.xx upward |
| Computer model(s): | IBM-PC, XT, AT and compatibles |
| Caroname: | TraceBack.3066 |
Attributes | |
| Easy identification: | Typical text in Virus body (readable with hex-dump-utilities): 1. "VG1" in the data area of the virus 2. "VG1" is found at offset of near-jmp- displacement if program is a .COM file. 3. The complete name of the file, which infected the currently loaded file, is in the code. 4. Search .COM or .EXE files for the hex-string: 58,2B,C6,03,C7,06,50,F3,A4,CB,90,50,E8,E2,03, 8B (the last 16 bytes of an infected program). |
Type of Infection: | System: infected if signature string "VG1" is found in specific location in memory. .COM files: program length increased by 3,066 bytes if it is infected. Infects files up to 62,218 bytes. The first byte of an infec- ted file is a near-jump (E9h,XXh,YYh) to the virus code; program is infected if the string "VG1" is at offset (viruscode_entry)-03h. .Com files are infected only once. .EXE files: program length increased by 3066 bytes string "VG1" is used for identification. .EXE files are infected only once. |
| Infection Technique: | |
| Infection Trigger: | Programs are infected the first time the virus is run, and at load time (using the function Load/Execute (4Bh) of MS-DOS). |
| Storage Media affected: | |
| Interrupts hooked: | INT 21h, INT 1Ch, INT 09h, INT 20h, INT 27h, (INT 24h only during infection of a file). |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient Damage: One hour after system infection, the characters will fall down the screen. Af- ter 1 minute, screen is automaticly restored. During damage, INT 09h will be hooked. Characters typed during damage will move "fallen-down" characters back to their start position. Damage repeats every hour. Permanent Damage: --- |
| Damage Trigger: | Every time an infected file is run, system date is checked; apart from diverse conditions before Dec.28 1988, the relevant routine checks: If (system date >= 28th of December 1988) then "cascade damage" (same as Autumn Virus). |
| Particularities: | - The virus infects all files, which will be loaded via INT 21h (function 04Bh, including .EXE, .COM and other files as .APP(GEM),.OVL). - Some files will not run after infection. |
| Similarities: | There are some variants of this virus. |
Agents | |
| Countermeasures: | NTI3066.EXE is an antivirus that only looks for the Traceback-3066 Virus and, if requested, will restore the file. |
| Standard means: | Notice file-length and search after the strings. |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Stefan Tode |
| Documentation by: | Stefan Tode |
| Date: | 5-June-1990 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg