| Alias: | |
| Strain: | VCS Virus Strain |
| detected when: | December 1991 |
| where: | Hamburg, Germany |
| Classification: | Program (COM) infector, encrypted, appending, direct action; |
| Length: | on media: 853 bytes |
Preconditions | |
| Operating System(s): | MS/PC-DOS 2.x upwards |
| Version/Release: | |
| Computer model(s): | All IBM PC/AT compatibles with CPU > 8088. |
| Caroname: | VCS.VDV-853 |
Attributes | |
| Easy identification: | --- |
Type of Infection: | Self-identification: files containing C350h at offset 03h regarded as infected. EXE files: no infection. COM files: are infected only once. Files are randomly infected in the current directory or in root directory and below if word at offset 03h of file doesnot contain C350h. File size is increased by 853 bytes. Virus is not RAM resident; files can only be in- fected when an infected host is started. |
| Infection Technique: | |
| Infection Trigger: | Any time an infected file is run, the virus infects up to 10 files, but only if the INT 26h (=absolute-disk-write-vector) is not hooked. |
| Storage Media affected: | |
| Interrupts hooked: | --- |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent damage: when triggered, all files in the root directory will be overwritten with 273 bytes of text including a Christmas tree and message (see Particularities). Transient Damage: when the file has been over- written, message (see: Particularities) will be displayed until a key is pressed. |
| Damage Trigger: | Permanent or transient damage is activated when month of system date = December and day of system date = 24, 25 or 26 (Christmas). |
| Particularities: | 1) Virus is encrypted; upon each infection, en- cryption key is changed. 2) Virus uses opcode 68h (push constant on stack) which isnot defined on 8088 processors; so, virus will not work on such machines. 3) Files with ReadOnly attribute will not be infected. 4) VDV-853 virus was written by some "Verband Deutscher Virenliebhaber" (=community of German virus lovers). This virus is realated to VCS virus (see Catalog edition July 91) but may have been created before the release of the VCS 1.0. The following message can be found in over- written (damaged) files and will be display- ed under damage trigger conditions: "Froehliche Weihnachten wuenscht der Verband Deutscher Virenliebhaber Ach ja, und dann wuenschen wir auch noch viel Spasz beim Suchen nach den Daten von der Festplatte! gez. VDV, Dezember 1990." Translation: "Happy Christmas wishes the community of German virus lovers Oh yes, and then we wish you a lot of fun, by searching for your data on your harddisk!" Yours VDV, December 1990."; On the left side of the message, a stylized Christmas tree is displayed in textgraphic. |
| Similarities: | 1) Virus is similar to VCS 1.0 virus and uses the same code, except that damage routine and some address functions are changed. 2) In distinction to VCS 1.0 virus, VDV-853 has no generation counter and a different damage routine. Probably, is was not created with Virus Construction Set 1.0 |
Agents | |
| Countermeasures: | - ditto - successful. Solomon's Findviru V4.01 detects as VDV-853. Skulason's F-PROT V2.02 detects as VDV-853. Tode's NTI-VDV.EXE is an antivirus that only looks for VDV-853 virus, and if requested will restore the original file. - ditto - unsuccessful. McAfee's Scan version 86b and below |
| Standard means: | Notice file length. Use ReadOnly attribute. Or use FLU-Shot or another program, which monitors INT 26h. |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, Germany |
| Classification by: | Stefan Tode |
| Documentation by: | Stefan Tode |
| Date: | 31-January-1992 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg