OS2Vir1 Virus

Alias:40Hex Virus = "First OS/2 virus"
Strain:--- detected when.: December 1993 where.: Code published by
detected when:
where:
Classification:File Virus: overwriting EXE files, not Memory-resident
Length:Media: 2,048 bytes

Preconditions

Operating System(s):IBM-OS/2
Version/Release:2.x
Computer model(s):IBM 386+ and compatibles
Caroname:40Hex

Attributes

Easy identification:Readable Texts in virus body: "VIRUS" at loc. 01B5h "*.EXE" at loc. 0404h "" at loc. 040Bh "My name is --> infected" at loc. 042Fh

Type of Infection:

Infection Technique:
Infection Trigger:When an infected program is run, all EXE-files in current directory are infected.
Storage Media affected:
Interrupts hooked:--- (not applicable to OS/2)
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:Transient Damage (screen message): virus outputs ("My name is"+original file-name); then (for all EXE-files in current directory): filename+" --> infected" or filename+" " if a program is active. Permanent Damage (files on media): infected files are unrecoverably destroyed being overwritten.
Damage Trigger:Damage is activated at run-time.
Particularities:1) This virus is intended as a demonstation how to write overwriting file-viruses under OS/2; source code (assembler) published by magazine. 2) As original code is destroyed in overwriting, it is not possible to disinfect programs. 3) Only EXE-files are infected.
Similarities:--- (first OS/2 virus; similar techniques in DOS)

Agents

Countermeasures:---
Standard means:Delete infected files and replace them with original ones.

Acknowledgements

Location:Virus Test Center, University of Hamburg, Germany
Classification by:Joern Dierks
Documentation by:Joern Dierks
Date:May 5, 1995
Information Source:Analysis of Assembler Source Code

(c) 1996 Virus-Test-Center, University of Hamburg