| Alias: | |
| Strain: | --- |
| detected when: | April 1993 |
| where: | Kazakhstan |
| Classification: | File Virus (COM,EXE,OVL;DBF infector), memory resident, part |
| Length: | 1.Length (Byte) on media: 1a. EXE files: 1817 (+16) Bytes 1b. COM files: 1817 (+16)+4 Bytes 2.Length (Byte) in RAM: 3648 Bytes |
Preconditions | |
| Operating System(s): | MS-DOS/PC-DOS |
| Version/Release: | MS-DOS/PC-DOS >= 2.0 |
| Computer model(s): | IBM PCs and Compatibles |
| Caroname: | Yankee_Doodle.Warlock |
Attributes | |
| Easy identification: | --- (File[EOF-4] == 0B0Dh (0Dh, 0Bh)) |
Type of Infection: | File infection: infects COM and EXE files by appending it's code (adapting to 16 bytes adress boundary); for COM files, virus adds extra 4 bytes after appending itself. Damages OVL and DBF files (though not infecting them). Self-Identification in file: checks bytes before EOF: File[EOF-4] == 0B0Dh (0Dh, 0Bh) System infection: upon starting an infected file, virus makes itself memory resident in memory (using TWIXT method). Self-Identification in memory: tests INT 21 register for given value. Additional check is made by a resident virus: it compares a piece of it's code to that of the caller (with bug). |
| Infection Technique: | |
| Infection Trigger: | Infection occurs if the following condition holds: Exec OR (Open OR Rename OR ChMod) AND FileExt IN [.EXE, .COM, .OVL, .DBF]) AND (FileName != "COMMAND.COM") AND (LengthCOM > 1024) AND (LengthCOM < 62687) AND (LengthEXE <= EXE_Image_Size (i.e.EXE file is not segmented)) AND (EXE_IP != 0eh (all LZEXE-packed files, in par- ticular AIDSTEST scanner)) AND (EXE_stack < EXE_Image_Size OR EXE_stack > EXE_Image_Size+72h (a bug - should be 720h) |
| Storage Media affected: | |
| Interrupts hooked: | INT 21/4B, 21/3D, 21/43, 21/56, 21/D000, 24, 2A |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent Damage: 1) First 32 bytes of DBF files are overwritten with 0C3H value. 2) Side Effects: Overlays are damaged, some EXE files won't operate properly - virus body might be overwritten by program's stack. Transient Damage: --- |
| Damage Trigger: | Permanent Damage: 1) File[0]==03 (usually .DBF files signature) and executing or opening or renaming or Get/Set File Attribute of infected file. 2) Executing such OVL or EXE files. Transient Damage: --- |
| Particularities: | 1) Virus contains following emcrypted strings (not displayed): "Revenge of WARLOCK!", "STACK STACK STACK STAC", "COMMAND.COM", "EXE", "OVL", "DBF". 2) For some MS-DOS versions (prev. to 4.0), virus patches direct DOS entry. Otherwise, it simply intercepts INT 21 vector. |
| Similarities: | Tunnelling is borrowed from Yankee_Doodle.TP. |
Agents | |
| Countermeasures: | |
| Standard means: | Delete infected files, replace wth clean ones. |
Acknowledgements | |
| Location: | Program Systems Institute, Russian Academy of Sciences, Pere |
| Classification by: | Dmitry O. Gryaznov |
| Documentation by: | Dmitry O. Gryaznov Klaus Brunnstein (VTC, Virus Catalog entr |
| Date: | 17-July-1993 |
| Information Source: | Reverse analysis of virus code |
(c) 1996 Virus-Test-Center, University of Hamburg