| Alias: | |
| Strain: | --- |
| detected when: | --- |
| where: | --- |
| Classification: | Virus Authoring Package: generates file (COM,EXE) infectors |
| Length: | --- |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | Version 2.x and above |
| Computer model(s): | IBM PC, XT, AT and higher, and compatibles |
| Caroname: | VCL |
Attributes | |
| Easy identification: | (depends on generated virus) |
Type of Infection: | EXE-files: Overwriting or Companion COM-files: Overwriting or Appending |
| Infection Technique: | |
| Infection Trigger: | (depends on generated virus) |
| Storage Media affected: | (depends on generated virus) |
| Interrupts hooked: | --- |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | The following types of transient or permanent damage can be implemented in all classes of viruses and trojans generated: 1) Beep a desired amount of times. 2) Change size of RAM available under 1 meg. 3) Clear the screen. 4) Cold Reboot of the system. 5) Corrupt files, using a random encryption. 6) Disable a parallel prot. 7) Disable the Print Screen Key. 8) Disable a serial port. 9) Display a string on the screen. 10) Drop a program into a file. 11) Delete files. 12) Lock up the computer. 13) Send a value to a port. 14) Send random values to all ports. 15) Play a tune / Sound effects. 16) Send a string to the printer. 17) Switch to ROM BASIC (if available). 18) Send a string to a serial port. 19) Swap two parallel ports. 20) Swap two serial ports. 21) Trash one or more drives (starting with the highest drive). 22) Uncrunch and display a run-length encoded ANSI string. 23) Warm reboot. It is possible to implement any other routine as a transient or permanent damage. |
| Damage Trigger: | Condition can be choosen from the following menu: 1) Country code (DOS). 2) Kind of CPU installed in the computer. 3) Day / Month / Year / Weekday. 4) DOS-version. 5) Ammount of EMS. 6) Number of floppy drives. 7) Number of game ports. 8) Hour / Minute / Second. 9) Number of prallel ports. 10) Amount of RAM. 11) Random. 12) BIOS rollover flag (indicates wether the computer has been on for 24 hours continu- ously or not) 13) Number of serial ports. 14) All files infected. 15) Is 4DOS installed? The condition can be choosen freely and the trigger may be set for all damages individually, responding to whether conditions are true,false, or relations (equal,bigger,lesser) hold. Various conditions can be combined. |
| Particularities: | 1) VCL Toolkit also offers the opportunity to build Trojans and Logic bombs with all possibilities as described above. 2) VCL Toolkit offers the feature to use encryption for Viruses and Trojans but not for Logic bombs. Encryption method is a simple XOR with variable key and 2 slightly different routines (use of di/si). 3) It is also possible to install a trace-stopper, but it should stop no longer than 5 min. 4) The infection rate of created viruses can also be modified. 5) Generated viruses can search their victims either in actual directory, all directory tree, path or only the first file, depending on the user. |
| Similarities: | 1) Some parts of the code are stolen from various other sources. 2) Among others, the following viruses generated with VCL have appeared: CodeZero, Diarrhea, Diarrhea II, Diogenes, Donatello, Earth_Day, Enun, Kinison, Mimic, Pearl_Harbour, VMessiah, Venom, Yankee.A, Yankee.B The following trojan developped with VCL has appeared: Richards |
Agents | |
| Countermeasures: | (depends on virus and AV product) |
| Standard means: | Delete and replace infected files. |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, Germany |
| Classification by: | Toralv Dirro |
| Documentation by: | Toralv Dirro |
| Date: | 25-February-1993 |
| Information Source: | Original virus analysis |
(c) 1996 Virus-Test-Center, University of Hamburg