LISTVIR@USACHVM1.BITNET (Gonzalo M. Rojas Costa) (02/24/90)
Hi Vesselin Bontchev (T762102@DM0LRZ01.BITNET) writes: > - The virus is memory resident. It installs itself in the > memory at address 9800:0000. I couldn't find where (and if) > it checks for the memory size. This virus only copies itself to the address 9800h:0000. It don't installs resident with INT 27 or the function 31H. If I execute a big program (that ocupies the segment 9800h), this program erase the virus from memory and a crash will occurr. Besides, the 1559 virus don't checks the memory size. Then if I execute a program infected with this virus in a computer with less than 640K of RAM, the computer hangs. (This efect occurr too, for example, in an AT with 1024K of memory {512K from factory and 512K of Extended Memory}). > - The virus is 1554 bytes long, but may add more bytes (up to > 1569 I think) to the infected files. Yes. If I infect a program with this virus, the program don't grows in a constant quantity of bytes. For that reason I don't find appropriate the name 1559 for this virus. Besides, the size of the virus is 1554 bytes. Then I don't find the reason for that name. > - Only *.COM files greater than 1000 bytes will be infected. I > couldn't find if there is a limit for the *.EXE ones. EXE files greater or equal than 3 512-bytes-pages (1536 bytes) are infected. > - The first 32 bytes of the *.COM files are overwritten. The > original 32 bytes can be found at offset (14,15)*16+1015 > from the beginning of the file. The 32 bytes overwritten can be found at offset (14,15)*16+1271 on the infected program that I disassembled. (It seems that the offset where the bytes overwritten are located is (14,15)*16+number, and number depends of the size of the program being infected). > - The virus intercepts the WRITE function call (AH == 40H) of > INT 21h. If the month of the current date is 9 or greater, > and if the write is on file handle > 4 (i.e., it is a "true" > file, not stdin/out/err/aux/prn), then the address of the > memory chunk which has to be written, is increased by 0Ah. > This leads to garbage being written. Then, if I type the command COPY myfile1 myfile2 in the months of September, October, November or December, myfile2 will lose the first ten bytes, and will add an equal quantity of garbage to the end. (But, myfile and myfile2 remains of the same size). An important caracteristic of this virus is that it have subroutines that don't permit the use of debuggers (such as MSDOS' DEBUG or Turbo Debugger). Disclaimer: The views expressed are my own! I do not speak for, nor do I represent any other person or company. Gonzalo M. Rojas Costa BITNET: LISTVIR@USACHVM1 ARPA: LISTVIR%USACHVM1.BITNET@CUNYVM.CUNY.EDU Owner of ASSMPC-L Antiviral Research Group Technical Support Unit Universidad de Santiago de Chile
J2YC@UNB.CA (DBILLINGSLEY) (09/14/90)
Last year, I believe, the 1559 virus was sent out over VALERT by accident. I was wondering if anyone has had any problems because of it. I have found out that it activates on September 1st of the year and therefore the damage would only be noticed now. (This may have been already discussed in full, if so please do not include this letter:) Damage noticed by the 1559 Virus: On exe files, file size is increased roughly by 1559 bytes. Com files don't seem to have their file size changed however they also get infected (As does command.com) The Virus' incubation period continues past september first, however, on that date and beyond all sequential text files written (Or any file written to) will be severely damaged.... SCANV66B was what I used to detect the virus however no safe cure is out there (Or none that I am aware of) Derek Billingsley