RADAI1%HBUNOS.BITNET@VMA.CC.CMU.EDU (Y. Radai) (10/05/89)
Two new viruses have been discovered in Israel. One of them is
called the Alabama virus. It infects EXE files and increases their
size by 1560 bytes. Unlike many other resident viruses, it does not
use Int 21h function 31h to stay resident. It loads itself 30K under
the highest memory location reported by DOS, but (unlike MIX1) it does
not lower the amount of memory reported by BIOS or DOS.
It hooks Int 9 and checks for Ctrl-Alt-Del. (It uses IN and OUT
commands to confuse anti-virus people.) When it identifies this com-
bination it causes an apparent boot but remains in RAM.
After 1 hour of operation (the virus checks the time on each Int 9
or Int 21 call), the following flashing boxed message appears:
SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW..............
Box 1055 Tuscambia ALABAMA USA.
This virus does not necessarily infect the file which is currently
being executed. First it looks for an uninfected file in the cur-
rent directory, and if it finds one it infects it. Only if it does
not find one does it infect the executed file.
But sometimes, when it finds an uninfected file, instead of infect-
ing it, it will *exchange* it with the currently executed file without
renaming it, so that the user will think that he is executing one pro-
gram while he is actually executing another one!
I have less information about the other virus (not even a name for
it). It adds 4096 to all infected files (both EXE amd COM, incl.
COMMAND.COM). But when you perform DIR you don't see the increase in
file size since the virus shows you the *original* (uninfected) sizes.
Like the Alabama and MIX1, it does not use the usual TSR function. It
also uses INs and OUTs to confuse single-step utilities.
My thanks to Eli Shapira for this info.
Y. Radai
Hebrew Univ. of Jerusalem