TOM.ERJAVEC@UNI-LJ.AC.MAIL.YU (Tom Erjavec) (06/08/90)
Here is some (of the rare) news from Yugoslavia:
We have had some 'classical' PC viruses for two years now: 1701, 1704,
Brain, Bouncing Ball, Jerusalem (1813COM/1808EXE), Yankee Doodle like
(2885COM/2880EXE), Yankee Doodle (2772COM/2772EXE) and Disk Killer.
Now it seems we have another uninvited guest.
In early June I was given a sample of a virus, found in a small SW
engineering company. They detected no strange behaviour but prolongation
of COM and EXE files. I disassembled it and I'm posting a brief report:
VirusName : ?, (1451COM/1411EXE)
Type : indirect executable code infector
Infects : COM and EXE files
VirusBodyLength : 1451 bytes (COM), 1411 bytes (EXE)
Expanding victim: YES, to paragraph boundary, both COM and EXE
Location in RAM : before end of memory
Steals interrupt: 21h
Intercepts func.: 40h (write to file), 4Bh (load & execute)
Attacks : Sept., Oct., Nov., Dec., each year
Action : When executing int 21h, func. 40h (write to file)
intercepts the call. If triggered the action code
increments register DX by 0Ah, changing the address
of buffer to be written to disk.
Consequences : wrong data (or garbage) written to disk
Program package RETROVIR (c) Proteus detects and removes the
1451COM/1411EXE from disk, along with all the other viruses mentioned
above.
I will be glad to receive reports on this virus from elsewhere.
Does anyone know its origin?
Tom.