NYAPEL%WEIZMANN.BITNET@VMA.CC.CMU.EDU (Uzi Apple) (09/08/89)
Hello all
this is the first time that i write to virus-l because i really need
help. My computer was infected by a new virus that called itself MIX1
virus , its symptoms are :
1) only EXE files are infected
2) the printer prints spelling mistakes
3) i see jumping ball on the screen (and it isnt the ping pong i checked)
4) i cant boot the system
5) the num lock doesnt work i can only write numbers
if someone has the Unvirus for this Virus please connect me.
Uzi
- ------------------------------------------------------------------------------
-
Uzi Apple InterNet: NYAPEL%WEIZMANN.BITNET@CUNYVM.CUNY.EDU
The Weizmann Inst. Of Science CsNet: NYAPEL@WEIZMANN.BITNET
Rehovot BitNet: NYAPEL@WEIZMANN
- ------------------------------------------------------------------------------
-NYYUVAL@WEIZMANN.BITNET (Yuval Tal (972)-8-474592) (10/25/89)
A new virus was found here in Israel. I didn't know whether to call
it: The Do Nothing Virus or The Stupid Virus.
The author (which is as usually known) put an infected program on one
of the BBSs in Israel. The program was an infected program which my
friend wrote BUT it claimed to be a new version (eg. my friend's
latest version was 3.4 and the one on the BBS was 4.0). He quickly
downloaded this file and he found out that it is infected with a
virus. After checking this virus he and I got to one big conclusion.
The author of this virus probably doesn't know assembly so good. You
can see this quite clear:
-The virus tries to push only one byte into the stack.
-The virus is copied always to location 9800:100h this means that it will
work only on computers 640KB. The virus doesn't reduce the amount of
memory (like other viruses such as Denzuk, Ping-Pong etc'). The virus is
copied and that's it! Turbo Pascal, for instance, may use this location
as heap and the virus may be erased from memory.
Another thing, this virus infects only the first .COM file on the
directory. It doesn't check if the file is already infected or not,
it just infects it. This virus does nothing besides infecting the
file, no damage at all! This is why I called it The Do Nothing Virus.
Here is a report I made. I may change it a bit here and there..
- --------------------------------------------------------------------------
Entry................: The Do Nothing Virus
Alias(es)............: The Stupid Virus
Virus detection when.: 22-October-1989
where.: Israel
Classifications......:.COM file infecting virus/extending.
Length of virus......: 583 bytes add to file.
Operating system(s)..: MS-DOS
Version/release......: 2.0 or higher
Computer model(s)....: IBM PC,XT,AT and compatibles
Identification.......: .COM files: The first 3 bytes of the infected files
are changed.
System: The virus copies itself to 9800h:100h.
Type of infection....: Extends .COM files. Adds 583 bytes to the end of
the file. The virus copies itself to 9800:100h. This
means that only computers with 640KB may be infected,
hooks int 21 and infects other programs by scanning the
directory until it finds a .COM file. It is infected
upon function Fh and 3Dh. .EXE files are not infected.
Infection trigger....: The first .COM file of the current directory is
infected whether the file is infected or not.
Interrupts hooked....: Int 21
Damage...............: None.
Damage trigger.......: Whenever a file is opened.
Standard means.......: Lots of programs such as Turbo Pascal use this area
And the virus may be erased...
Acknowledgment:
Location.............: The Weizmann Institute Of Science, Rehovot, Israel
Documented by........: Yuval Tal (NYYUVAL@WEIZMANN.BITNET).
Date.................: 25-October-1989
-
-------------------------------------------------------------------------------
- -Yvual Tal