TOM.ERJAVEC@UNI-LJ.AC.MAIL.YU (Tom Erjavec) (06/08/90)
Here is some (of the rare) news from Yugoslavia: We have had some 'classical' PC viruses for two years now: 1701, 1704, Brain, Bouncing Ball, Jerusalem (1813COM/1808EXE), Yankee Doodle like (2885COM/2880EXE), Yankee Doodle (2772COM/2772EXE) and Disk Killer. Now it seems we have another uninvited guest. In early June I was given a sample of a virus, found in a small SW engineering company. They detected no strange behaviour but prolongation of COM and EXE files. I disassembled it and I'm posting a brief report: VirusName : ?, (1451COM/1411EXE) Type : indirect executable code infector Infects : COM and EXE files VirusBodyLength : 1451 bytes (COM), 1411 bytes (EXE) Expanding victim: YES, to paragraph boundary, both COM and EXE Location in RAM : before end of memory Steals interrupt: 21h Intercepts func.: 40h (write to file), 4Bh (load & execute) Attacks : Sept., Oct., Nov., Dec., each year Action : When executing int 21h, func. 40h (write to file) intercepts the call. If triggered the action code increments register DX by 0Ah, changing the address of buffer to be written to disk. Consequences : wrong data (or garbage) written to disk Program package RETROVIR (c) Proteus detects and removes the 1451COM/1411EXE from disk, along with all the other viruses mentioned above. I will be glad to receive reports on this virus from elsewhere. Does anyone know its origin? Tom.