| Alias: | |
| Strain: | |
| detected when: | August 1989 |
| where: | University of Cologne, FRG |
| Classification: | Link-virus (extending), RAM- resident |
| Length: | .COM files: program length increases by 1206-1221 bytes .EXE files: program length increases by 132 bytes |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | 2.xx upward |
| Computer model(s): | IBM-PC, XT, AT and compatibles |
| Caroname: | Vacsina.TP-04 |
Attributes | |
| Easy identification: | 1. Typical texts in Virus body (readable with HexDump-facilities): "VACSINA" in data area of the virus. 2. The length of an infected file is increased. 2. The date/time of the last program modification is different between an infected program and its original version. |
Type of Infection: | System: infected if the segment:offset of INT31h points to 0539h:7fxxh. .Com files: with a program length of 1207-62866 bytes will be infected if the first instruc- tion is a JMP_DISP_16 (Opcode E9) and the program length increases by 1206-1221 bytes. The last 4 bytes are 0F4h,07Ah,005h,000h (identification); therefore, a .COM file will not be infected more than once. .EXE files: with a program length up to 64946 bytes will not be infected, but converted in a COM-format and the program length increases by 132 bytes. The virus adds code to the EXE-file that is able to relocate the file while loading it. If a converted EXE-file is started again in an infected system, it will be infected like a COM-file. |
| Infection Technique: | |
| Infection Trigger: | Programs are infected when they are run (using the function Load/Execute of Ms-Dos). |
| Storage Media affected: | |
| Interrupts hooked: | INT21h, INT24h (only while infecting a file). INT31 (identification that system is infected) |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient damage: every time a file is infected, the loudspeaker will beep. |
| Damage Trigger: | --- |
| Particularities: | The date/time of the last program modification will not be restored. |
| Similarities: | |
Agents | |
| Countermeasures: | Category 3: ANTIVACS.EXE (VTC Hamburg) |
| Standard means: | --- |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Michael Reinschmiedt |
| Documentation by: | Michael Reinschmiedt |
| Date: | January 3, 1990 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg