T762102@DM0LRZ01.BITNET (02/02/90)
The V2000 Virus
---------------
This virus is also "made in Bulgaria" and again I am
indirectly the cause of its creation. I am a well known
"virus-buster" in Bulgaria and my antivirus programs are very widely
used. Of course, virus designers didn't like it. So their next
creation... causes trouble to my antivirus programs.
This virus is exactly 2000 bytes long and I think that it was
created by the author of the Eddie (Dark Avenger) virus. The
programming style is the same and there are even pieces of code which
are the same.
The virus acts much like the Eddie one --- it installs
resident in memory by manipulating the memory control blocks; infects
COMMAND.COM at the first run; infects both .COM- and .EXE-files;
infects files when one executes them as well as when one copies them.
However, there are some extras added. First, the virus is
able to fetch the original INT 13h vector just like the V512 one (by
using the same undocumented function --- tricks spread fast between
virus programmers).
Second, it intercepts the find-first (FCB) and find-next (FCB)
functions --- just like V651 (and contains the same bugs), so you
won't see the increased file lengths in the listing displayed by the
DIR command.
Third, it contains the string "Copyright (C) 1989 by Vesselin
Bontchev", so people may think that I am the author of this virus. In
fact, the virus searches every program being executed for this string
(the case of the letters does not matter) and if found, hangs the
system. It is not necessary to tell you that all my antivirus
programs contain this string. Of course, now I will have to use some
kind of encryption, just to prevent such tricks.
Sincerely,
Vesselin