| Alias: | Minnow, Minnow-1 Virus |
| Strain: | Zero-Hunt Virus Strain |
| detected when: | |
| where: | |
| Classification: | Program (COM) infector, but not increasing; stealth, indirec |
| Length: | 1) Length on media: no increase in file length 2) Virus code in memory/inside file: Length (ZeroHunt-411) = 411 bytes; Length (ZeroHunt-415) = 415 bytes; |
Preconditions | |
| Operating System(s): | MS/PC-DOS 2.x and upwards |
| Version/Release: | |
| Computer model(s): | All IBM PC compatibles. |
| Caroname: | ZeroHunter |
Attributes | |
| Easy identification: | --- |
Type of Infection: | EXE files: not infected; COM files: are infected only once. Self-identification: files containing F5E9h at begin of file, and containing E8h at memory address 0:021Ch are regarded as infected. Virus searches for 411/415 bytes, depending on the clone, for 00h's; if found (typic- ally a buffer), virus copies itself into this part of file: therefore, size of in- fected files do not increase! Virus makes itself RAM resident and copies itself into the interrupt table (in low memory at location 0:021Ch, INT 87h). Files are infected when executed. |
| Infection Technique: | |
| Infection Trigger: | Any file, which is executed via function 4B00h of INT 21h, will be infected, only if 1st byte of file is E9h and if 411/415 bytes containing 00h's are found. |
| Storage Media affected: | |
| Interrupts hooked: | INT 21h (always pointing to 0:02D5h); INT 24h (during infection); INT 8Bh (points to EE83:019Bh for ZH-411 virus, and to EE83:019Fh for ZH-415 virus). |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | No intentional damage. Side effect: system or programs may hang, if they are using the interrupt table as a buffer or if they are using Interrupts > INT 87h (possibly BASIC or LAN Adapters). Moreover, files may get corrupted if one variant tries to infect a file while the other vari- ant is yet active in memory. If ZeroHunt-415 is active in memory, 4 bytes of a file in- fected with ZeroHunt-411 will be corrupted (4 bytes overwritten with 00h). |
| Damage Trigger: | --- |
| Particularities: | Stealth method: Virus cannot be found in an infected file, because it monitors all DOS read access functions and may temper them (detail: INT 21h fct. 14h not monitored), thus removing itself from an infected file. Virus may also hook Interrupts > 87h (due to the location of virus). |
| Similarities: | ZeroHunt-411 is an optimized version of ZeroHunt-415; due to this optimization, some code/data differs. |
Agents | |
| Countermeasures: | |
| Standard means: | Easy disinfection (only if virus is active in memory): copy all *.COM files to different extension (maybe *.MOC), then reboot system from an clean disk and then rename all *.MOC files back to *.COM. |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, Germany |
| Classification by: | Stefan Tode |
| Documentation by: | Stefan Tode |
| Date: | 31-January-1992 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg