| Alias: | |
| Strain: | |
| detected when: | Early August 1989 |
| where: | University of Cologne, West-Germany |
| Classification: | Filevirus/resident with update facility |
| Length: | length added to a COM-type file 1206-1221 bytes length added to a EXE-type file 132 bytes and then like a COM-type file |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | --- |
| Computer model(s): | IBM-PC, XT, AT, PS/2 and compatibles |
| Caroname: | Vacsina.TP-05 |
Attributes | |
| Easy identification: | The string 'VACSINA' in the viruscode the last 4 bytes of an infected file show F4 7A 05 00 memorysegment 0000:00C5 contains 7F 39 05 when VACSINA is resident. The bytes 05 00 at the end of the file and the 05 in memory 0000:00C7 are version- numbers of VACSINA (see below). |
Type of Infection: | VACSINA installs a TSR that trapps INT 21H function 4BH (load & execute). Every file that is loaded via this function will be infected (provided some constraints are met see below) VACSINA checks the version number (current is 0005) and will remove earlier versions of itself and substitute with the newer virus code! |
| Infection Technique: | |
| Infection Trigger: | Executing an uninfected file after an infected file was used. |
| Storage Media affected: | Any via INT 21H funtion 4BH loadable file, that either starts with E9H (jump) or 'MZ' (EXE header). This includes COM, EXE, OVL, and APP (GEM) files. Files with the leading E9 must be bigger than 1206 and smaller than 62867 Files with a EXE-Header must not be bigger than 64947 for the 132 loader attachment. after that they have to meet the constraints of a E9H headed file. |
| Interrupts hooked: | INT 21H (function 4BH), INT 24H The INT 31 table entry is used as the VACSINA present flag. |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | After a successfull infection of a COM-type file a beep (DOS-BELL) is issued. NO OTHER PAYLOAD ! This looks like test code for the infection- mechanism. |
| Damage Trigger: | The beep is triggered when a COM-Type file is successfully infected. |
| Particularities: | Probably a testversion that prematurely escaped since there is no payload, the beep when infecting another file, and some incomplete codesections. The virus opens a file 'VACSINA' and closes it after a while, never writing or reading from it. The returncodes of the open and close operations are ignored. The words for vaccine are written with two Cs in all languages that use latin letters except for norvegian (they write vaksine). The virus has an update facility and will replac old versions with new versions of itself! |
| Similarities: | --- |
Agents | |
| Countermeasures: | ANTI-VD of the MVC (University of Karlsruhe) detects and removes the virus from any file. EXE-headers are reconstructed! |
| Standard means: | The DEL command after booting from a clean systemdisk. |
Acknowledgements | |
| Location: | Micro-BIT Virus Center University of Karlsruhe West-Germany |
| Classification by: | C. Fischer, T. Boerstler, R. Stober |
| Documentation by: | C. Fischer, T. Boerstler, R. Stober |
| Date: | Nov. 13, 1989 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg