csas400@vax1.mankato.msus.edu (01/23/91)
Hello,
I'm new to this group and I'm not familiar with the protocols in
anouncing the discovery(sic.) of a new virus...but here goes anyway.
Virus attributes:
1. IBM pc/xt/at/ps2
2. Changes files date/time.
3. Changes files size.
filename noVir Vir Difference
command.com 37637 39223 1586
simcity.exe 191845 193431 1586
share.exe 10301 11879 1578
4. Hooks to following interupts:
22H Terminate xxxx:0147
24H Critical err xxxx:05Bf
2EH Execute cmd xxxx:02B8
FFH User def. 0002:F000
5. Due to the interupts it attaches to during any program
termination, disk error, or DOS command the virus
finds the first *.com or *.exe file in the directory
not attacked and ataches itself and also checks to see
if it's active in memory if not it installs itself.
6. Attaches to .com and .exe (.bin not tested)
7. Can be identified in executables with following hex codes.
0E B0 00 E6 20 B8 24 35 CD 21 (taken from virus)
If someone (reputable [ie. has written vir.pro. programs before]) would like
to tackle this hobbie of killing and detection of this virus I'll send you a
copy.
Better yet if someone has alread done so TELL ME WHERE TO FIND IT. I'm
desperate for a solution; deletion is (to me) not a good solution.
Jeffrey E. Hundstad
AS/400 System Administrator
Mankato State University
j3gum@vax1.Mankato.MSUS.EDU
CSAS400@vax1.Mankato.MSUS.EDU
vax1.Mankato.MSUS.EDU (134.29.1.1)frisk@rhi.hi.is (Fridrik Skulason) (01/26/91)
csas400@vax1.mankato.msus.edu writes: > 3. Changes files size. > filename noVir Vir Difference > command.com 37637 39223 1586 > simcity.exe 191845 193431 1586 > share.exe 10301 11879 1578 From this information it is clear the length of the virus is not 1586 bytes, nor 1578, but rather 1575 bytes. The reason is as follows. In almost all cases, a variable length increase means the virus first pads the program to make the length a multiple of 16 bytes, before appending the virus. Assuming this is the case, we get before padding after padding after infection difference command.com 37637 37648 39223 1575 simcity.exe 191845 191856 193431 1575 share.exe 10301 10304 11879 1575 A side effect is that disinfectors may not be able to restore infected files 100% - they may contain 1-15 garbage bytes at the end, after the virus has been removed.This will not affect the operation of the program in any way, unless it does a check of its own integrity. >If someone (reputable [ie. has written vir.pro. programs before]) would like >to tackle this hobbie of killing and detection of this virus I'll send you a >copy. Well - I would be heppy to add detection/removal of this virus to my F-PROT program - assuming it does not use any really complex encryption, it should not take more than a couple of hours to have the disinfector ready. But be careful in who you send the virus to - there are not more than 10-12 people I would send it to. - -frisk - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |