VCS V1.3 Virus

Alias:Virus-Construction-Set V1.3, VCS1.3.RUF
Strain:VCS Virus Strain
detected when:March 1992
where:Bulletin Board, Hamburg, Germany
Classification:Clone of VCS V1.0 Virus; Program Virus, direct action; overw
Length:Increase of file length: 1077 bytes

Preconditions

Operating System(s):MS/PC-DOS
Version/Release:
Computer model(s):on IBM PC compatibles with CPU > 8086.
Caroname:VCS.Ruf

Attributes

Easy identification:Files containing C350h at offset 03h regarded as infected (self identification) Search string at offset 00h: E8 14 00 8A 9C 2F 05 8D BC 20 01 B9 0F 04 89 FE

Type of Infection:

same as VCS V1.0

Infection Technique:
Infection Trigger:same as VCS V1.0
Storage Media affected:
Interrupts hooked:---
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:same as VCS V1.0
Damage Trigger:
Particularities:same as VCS V1.0
Similarities:1) Virus is similar to VCS 1.0 virus and uses the same code, except for the encrypt- ion routine. 2) VCS 1.3 is a patched version of VCS 1.0. It was created by someone who calls himself "Hanswurst". 3) The textstrings of VCS.EXE are also patched. The following strings can be found in the VCS.EXE: "(C) 1991 by VDV, 1992 by Hanswurst" "Virus Construction Set V1.3, gepatcht" " von Hanswurst 1992"

Agents

Countermeasures:Searchstring at offset 00h of virus: E8 14 00 8A 9C 2F 05 8D BC 20 01 B9 0F 04 89 FE - ditto - successful. Tode's NTI-VCS.EXE is an antivirus that only looks for VCS viruses, and if requested will restore the file. - ditto - unsuccessful. Presently, no AV product identifies VCS V1.3.
Standard means:Notice file length. Use ReadOnly attribute.

Acknowledgements

Location:Virus Test Center, University Hamburg, Germany
Classification by:Stefan Tode
Documentation by:Stefan Tode
Date:21-July-1992
Information Source:

(c) 1996 Virus-Test-Center, University of Hamburg