RZOTTO@DKNKURZ1.BITNET (Otto Stolz) (08/03/90)
In the HQ of Sxdwestdeutscher Bibliotheks-Verbund (located at the
university of Constance, Germany), a new virus has been detected. The
virus adds 453 (four hundred fifty three) bytes to COM files. (It is
neither the V-345 from the Amstrad strain, nor the Vienna 435.)
F-FCHK and SCAN do not recognize this virus.
It is not yet know whether this virus carries a payload.
I know that it infects COM files in the local directory; whilst it did
not infect files in other directories during my tests, we cannot be
completely sure about the infection mechanism until the virus has been
dis-assembled.
Following are my preliminary findings in VTC format.
I'll send a sample to the VTC at Hamburg for further investigation.
If anybody has already seen this beast and knows more than I do (cf.
infra), please drop me a note.
Otto
- ---------------
Entry................. ((not yet assigned -- anything alluding to the
length would be confusing, as we have already
435 and 345 viruses))
Alias(es).............
Strain................
Detected: when........ 1 Aug 1990
where....... Sxdwestdeutscher Bibliotheksverbund
(located at Universit2t Konstanz)
Classification........ Link virus, direct action COM infector
Length of virus....... 453 bytes added to COM files
- ----------------------- Preconditions --------------------------------
Operating System(s)...
Version/Release.......
Computer models.......
- ------------------------Attributes -----------------------------------
Easy identification... File size increases by 453 bytes
The following offsets are taken relative to the
address the JMP instruction (cf. infra) points to.
offset | string / bytes found
-------+----------------------------------
007 | "VIRUS"
00D | "*.COM"
013 | "????????COM"
030 | file-id of the infected program
043 | original contents of 1st 3 bytes
052 | "TUQ.RPVS"
Type of infection..... Direct action.
Begin of program is overwritten with JMP
instruction pointing to appended viral code.
Infection trigger..... Executing an infected file will trigger the
infection attempt in the local directory.
Virus has been tested with one bait (at most)
available, so it is not clear whether multiple
programs will be infected. No files outside the
local directory have been infected during tests.
Interrupts hooked..... none
Damage................
Particularities.......
- ----------------------- Acknowledgement ------------------------------
Location.............. Rechenzentrum der Universit2t Konstanz
Classification by..... Otto Stolz <RZOTTO at DKNKURZ1.BITNET>
Dokumentation by ..... Otto Stolz <RZOTTO at DKNKURZ1.BITNET>
Date.................. 1990-08-02