1260 Virus

Alias:Variable, Chameleon, Camouflage, Stealth, V2P1
Strain:distantly related to Vienna strain
detected when:
where:
Classification:Program Virus with direct action, COM infector
Length:1260 Bytes

Preconditions

Operating System(s):MS-DOS
Version/Release:2.xx and upwards
Computer model(s):IBM PC's and compatibles
Caroname:V2Px.V2P1

Attributes

Easy identification:The seconds field of the timestamp of any infected program will be 62 seconds.

Type of Infection:

Program virus with direct action. It only in- fects files with COM extension. It replaces first 3 bytes with a jump to the virus.

Infection Technique:
Infection Trigger:Execution of an infected file
Storage Media affected:The virus will infect any COM file in the current directory.
Interrupts hooked:INT 1 and INT 3 while virus is executing
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:transient: --- permanent: ---
Damage Trigger:
Particularities:The actual virus code is encrypted once over the whole code, and various single bytes are also encrypted throughout the virus. These bytes are decrypted prior to exec- ution, using its INT 3 (break point) routine to decrypt, and its INT 1 (trace) routine to encrypt. The encryption routine used to decrypt the entire virus is obscur- red by the addition of irrelevant instruc- tions and by scrambling the order of the instructions from infection to infection. As a consequence of this stealth technique, it is not possible to extract any scan string from this virus at all.
Similarities:The virus is similar to Vienna virus, but highly modified, to contain the encryption methods described above.

Agents

Countermeasures:
Standard means:

Acknowledgements

Location:Virus Test Center, University Hamburg, Germany
Classification by:Morton Swimmer
Documentation by:Morton Swimmer
Date:12-February-1991
Information Source:

(c) 1996 Virus-Test-Center, University of Hamburg