RZOTTO@DKNKURZ1.BITNET (Otto Stolz) (08/03/90)
In the HQ of Sxdwestdeutscher Bibliotheks-Verbund (located at the university of Constance, Germany), a new virus has been detected. The virus adds 453 (four hundred fifty three) bytes to COM files. (It is neither the V-345 from the Amstrad strain, nor the Vienna 435.) F-FCHK and SCAN do not recognize this virus. It is not yet know whether this virus carries a payload. I know that it infects COM files in the local directory; whilst it did not infect files in other directories during my tests, we cannot be completely sure about the infection mechanism until the virus has been dis-assembled. Following are my preliminary findings in VTC format. I'll send a sample to the VTC at Hamburg for further investigation. If anybody has already seen this beast and knows more than I do (cf. infra), please drop me a note. Otto - --------------- Entry................. ((not yet assigned -- anything alluding to the length would be confusing, as we have already 435 and 345 viruses)) Alias(es)............. Strain................ Detected: when........ 1 Aug 1990 where....... Sxdwestdeutscher Bibliotheksverbund (located at Universit2t Konstanz) Classification........ Link virus, direct action COM infector Length of virus....... 453 bytes added to COM files - ----------------------- Preconditions -------------------------------- Operating System(s)... Version/Release....... Computer models....... - ------------------------Attributes ----------------------------------- Easy identification... File size increases by 453 bytes The following offsets are taken relative to the address the JMP instruction (cf. infra) points to. offset | string / bytes found -------+---------------------------------- 007 | "VIRUS" 00D | "*.COM" 013 | "????????COM" 030 | file-id of the infected program 043 | original contents of 1st 3 bytes 052 | "TUQ.RPVS" Type of infection..... Direct action. Begin of program is overwritten with JMP instruction pointing to appended viral code. Infection trigger..... Executing an infected file will trigger the infection attempt in the local directory. Virus has been tested with one bait (at most) available, so it is not clear whether multiple programs will be infected. No files outside the local directory have been infected during tests. Interrupts hooked..... none Damage................ Particularities....... - ----------------------- Acknowledgement ------------------------------ Location.............. Rechenzentrum der Universit2t Konstanz Classification by..... Otto Stolz <RZOTTO at DKNKURZ1.BITNET> Dokumentation by ..... Otto Stolz <RZOTTO at DKNKURZ1.BITNET> Date.................. 1990-08-02