| Alias: | |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | EXE-infector |
| Length: | 300H |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | |
| Computer model(s): | PC's |
| Caroname: | VVM |
Attributes | |
| Easy identification: | |
Type of Infection: | The virus installs itself in the EXE header Selfrec in memory: None Selfrec on disk: Compares |
| Infection Technique: | |
| Infection Trigger: | Int13Read, Int13WriteINFECTION_CRIT: Buffer[0..1] = "MZ",Buffer[2..3] < 007Fh (ie: EXE file under 65024 bytes),Buffer[133h..255h] = all zeros (ie: probably an "empty"relocation table) |
| Storage Media affected: | |
| Interrupts hooked: | 13h/02h, 13h/03h |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient: Permanent: |
| Damage Trigger: | Transient: Permanent: |
| Particularities: | Not displayed text: "(C)VVM" Implements file-level stealth in 205 bytes byoperating at sector level.Sector level access is monitored; when an I/O buffer"MZ" is observed, an .EXE file is assumed to have beenobserved. The virus then checks that this sectorrepresents an .EXE with a load size below 65024 bytes,and with 205 bytes of zeros at the end of the sector.Usually, this would represent a file with a bunch ofunused space in the relocation table -- though nocheck is made that this area isn't inside the loadimage.The file is then converted to .COM, with the 205 bytesof viral code dropped over the previously blank areaat the end of the sector, and the first 3 bytes patchedto a JMP. On subsequent access to this infected sector,the virus recognises itself by comparing its body withthe end of the sector -- and then stealths itself outby overwriting this region with zeros. The patched JMPis stealthed back to the .EXE magic number -- though thethird byte of the file is not restored. This may resultin problems for files in which knowledge of the theoriginal load image size is important for correctoperation.Clearly, this virus is likely to spread quickly --certainly on program execution, on file copy and fileaccess (eg: by a-v scanner). Because it works belowfile level, though, it may spread at other times,too (eg: during disc optimisation!). This leads tomy "Infectivity" quotient of 6.5...Thanks to Igor Muttik for his commented debug listing. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Paul Ducklin |
| Documentation by: | Paul Ducklin |
| Date: | |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg