ry15@rz.uni-karlsruhe.de (Christoph Fischer) (06/03/91)
Hi here is the preliminary analysis of a new virus (out in the wild) Name of Virus V08-15 Alias none sofar (I hope that stays that way) Virus family (to be done) First occurrence May 1991 probably around since 1990 Site of first occurrence Germany Type of virus COM and EXE infector, memory resident Length of virus 1322..1337 (virus is placed on even paragraphs) Operating system MS-DOS Version of OS 3.* and above Computers IBM and compatibles Direct detection Answers upon a INT 21 AX=FFFE with AX=0815 if resident Infected files contain the readable string: 'CRITICAL ERROR 08/15: TOO MANY FINGERS ON KEYBOARD ERROR.' EXE-type files are marked infected by 4D54h at offset 12h (that is the EXE header checksum). COM-type files are marked by the same 16bit value but at offset 3 in file (that is 103h when loaded). Infection mechanism The resident virus intercepts INT 21 and infects anything loaded and executed, provided there is enough space on the drive and file is not too big for COM-type files Infection targets Any executabel code with and without EXE-header Interrupts INT 09 (only if triggered) INT 21 INT 24 (only during infection) Payload After the 11th of November 1990 the virus will intercept INT 09 and count the keystrokes. If the number of keystrokes reaches 3000 the virus will display the message above and halt the system. Counting starts as soon as the first infected file is started. Special clues The number 08/15 refers to the standard rifle used by the Germans in World War II. Today this number is synonymous for the term 'standard' of 'plain vanilla'. The 11th of November is the begin of the carneval season. Detection This is brand new, so use the above mentioned properties till the scanners are updated. Removal Boot from a clean disk and delete or replace infected files Analysis Christoph Fischer Micro-BIT Virus Center University of Karlsruhe Zirkel 2 DW-7500 KARLSRUHE 1 Tel.: +721 37 64 22 FAX: +721 32 55 0