padgett%tccslr.dnet@uvs1.orl.mmc.com (Padgett Peterson) (11/20/90)
Have just had an opportunity to examine (briefly) a new virus as yet
unnamed (DataLock/920 ?). This does not appear to be a very great
threat since it does apparently nothing to hide itself (but then,
neither does the Jerusalem).
The virus infects a machine by running an infected file. It goes
resident in the Top Of Memory reducing a CHKDSK return by 2048 bytes
(a 640k machine will return 653312 bytes total memory instead of
655360. Int 12 is not affected so a comparison will result in a
mismatch similar to the 4096. Each time an .EXE file is executed, it
will increase in size by 920 bytes. The virus will only infect a file
once but will infect any .EXE executed. The string "DataLock version
1.00" was found in clear near the end of an infected test file & at
location 9000:fca8 in memory on my 640k isolation machine.
The virus appears to trap INT 21 and determines if it is in memory by
returning a value of 1234 in AX if INT 21 is called with function BE.
The current version of SCAN (v67c) does not yet detect this but all of
you do check the "three bytes", don't you.
Further information will be posted as discovered.
Padgett, just back from the
CSI Conference in Atlanta and had a great time.