| Alias: | Uruguvau1 |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | COM and EXE infector, resident |
| Length: | 4752 {1290H=129 paragraph(s)} |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | All models{Some infected files hangs after invokation. Maybe |
| Computer model(s): | PC's |
| Caroname: | Uruguay-#1 |
Attributes | |
| Easy identification: | |
Type of Infection: | The virus appends itself to the files The virus inserts itself at a random place in the file. Selfrec in memory: INT_21;AX=3032;DX=1234 -> AX=5678 |
| Infection Technique: | |
| Infection Trigger: | (Exec or (Open and (*.COM or *.EXE))) and(Size>200h and Size= |
| Storage Media affected: | |
| Interrupts hooked: | 011321/4B0021/3D00242A {only to restore control over INT_21 if lost} |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | the virus uses variable encryption with a variable decryptor. |
| Encoding Method: | |
| Damage: | Transient: Virus shows on screen MSG_DISPLAYED, using DOS service INT_21/AH=2.Printout is delayed and takes a few seconds. It is accompaniedwith random musical tones, calculated from ASCII code ofprinted characters. Permanent: - |
| Damage Trigger: | Transient: ExecInfected and (byte[0:46C]=0) Permanent: - |
| Particularities: | The virus resides above the last MCB Displayed text: "The BEATLEMANIA is alive!THE BEATLES, for ever, the best.John, Paul, George and Ringo, ladies and gentlemen, here they are!PLEASE, PLEASE ME. WITH THE BEATLES. A HARD DAY'S NIGHT.BEATLES FOR SALE. HELP. RUBBER SOUL. REVOLVER.SGT.PEEPERS LONELY HEARTS CLUB BAND. THE BEATLES. YELLOW SUBMARINE.ABBEY ROAD. LET IT BE. MAGICAL MISTERY TOUR.Other LP and singles available...Virus 'Uruguay-#1'Programmed in Montevideo (URUGUAY) by F3161. 03/92.This is a research virus - DO NOT DISTRIBUTE."; Encrypted Infected EXE files are turned to COM and the virus code is appendedin encrypted form to the end of file. The file starts with JMP ondecryptor of virus (E9 offset), taking 3 bytes.When an infected program receives control the virus copies itselfto the segment at top of usable conventional memory. Memoryavailable to DOS is shrinked. If computer has 640K, you caneasily calculate code segment of virus (MEMORY_SIZE=129para,CS=A000-129=9ED7; you will have 9ED6 if UMB is used, becausetop paragraph will be BFFF, not A000)Virus, after decryption of body restores start of infected file(3 bytes) and, if file was EXE, makes needed relocations itself.Then code is moved down in memory, because EXE header is nolonger needed.Virus intercepts DOS INT_21 rewriting start of DOS serviceroutine in DOS segment with FAR JMP to viral code.Virus uses file size to indicate infection. File infectedwith Uruguay-#1 always has size divisible with 13h.For comparison of Uruguay viruses see the following table:ÚÄÄÄÄÄÂÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄ ÄÄÄÂÄÄÄÄÄÄÂÄÄÄÄÂÄÄÄÄÄÂÄÄÄÄÄÄÂÄÄÄÄÄÄ¿³Virus³Date ³Code size³MEMORY_ ³Infectable ³File ³Head³Stea-³Warm³Memory³³ ³ ³,bytes ³SIZE, para³file size ³growth³size³lth³reboot³slices³ÃÄÄÄÄÄÅÄÄÄÄÄÅÄÄÄÄ ÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÄÄÄÄÄÅÄÄÄÄÄÄÅÄÄÄÄÅÄÄÄÄÄÅÄ ÄÄÄÄÄÅÄÄÄÄÄÄ´³ #1 ³03/92³ 938 ³ 129 ³>200,<=F400³ ~94F ³ 3 ³ - ³ - ³0 ³³ #2 ³04/92³ 8F6 ³ 120 ³>200,<=EC00³ ~91E ³ 3 ³ - ³ - ³0 ³³ #3 ³06/92³ 996 ³ 140 ³>200,<=F400³ |
| Similarities: | Uruguay-#2, Uruguay-#3, Uruguay-#4, Uruguay-#5,Uruguay-#6, Uruguay-#7, Uruguay-#8 |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Igor G. Muttik |
| Documentation by: | Igor G. Muttik |
| Date: | 1994-01-31 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg