[comp.virus] NEW VIRUS DICOVERED AND DISASSEMBLED

RY15%DKAUNI11.BITNET@IBM1.CC.Lehigh.Edu (Christoph Fischer) (08/19/89)

We just finished to disassemble a new virus, it was sent to us by the
university of Cologne. We haven't found any clue that this virus showed
up before.
Here are the facts we found:
   0. It works on PC/MS-DOS ver. 2.0 or higher
   1. It infects COM files increasing them by 1206 to 1221 bytes
      (placing the viruscode on a pragraph start)
   2. It infects EXE files in two passes: After the first pass the EXE
      file is 132 bytes longer; after the second pass its size increased
      by an aditional 1206 to 1221 bytes (see 1.)
   3. The virus installs a TSR in memory wich will infect executable
      files upon loading them (INT 21 subfunction 4B00) using 8208 bytes
      of memory
   4. The only "function" we found, was an audible alarm(BELL character)
      whenever another file was successfully infected.
   5. It infects COM files that are bigger than 04B6h bytes and smaller
      than F593h bytes and start with a JMP (E9h)
   6. It infects EXE files if they are smaller than FDB3 bytes (no
      lower limit)
   7. It opens a file named "VACSINA.   " without checking the return
      value. At the end it closes this file without ever touching it.

 The facts 4 and 7 make us belive it is a "Beta-Test" virus that might
 have escaped prematurely by accident.
 The word VACSINA is really odd beause of its spelling. All languages I
 checked (12) spell it VACC... only Norwegians write VAKSINE. Has anybod
 an idea?
 We produced an desinfectant and a guardian.
 The PC room at Cologne (28 PCs) was also infected by DOS62 (Vienna)|
 We call the virus VACSINA because of the unique filename it uses|

       Chris & Tobi & Rainer
*****************************************************************
* TORSTEN BOERSTLER AND CHRISTOPH FISCHER AND RAINER STOBER     *
* Micro-BIT Virus Team / University of Karlsruhe / West-Germany *
* D-7500 Karlsruhe 1, Zirkel 2, Tel.: (0)721-608-4041 or 2067   *
* E-Mail: RY15 at DKAUNI11.BITNET or RY12 at DKAUNI11.BITNET    *
*****************************************************************

jcsewell@e.ms.uky.edu (Jim Sewell) (08/27/89)

Regarding the name VACSINA:

	Vaccine makes no sense as a name for a virus unless it was to be
passed off as a vaccine.  This program doesn't sound as if it was meant to
fool people with that ruse so I suggest that perhaps the name has nothing
to do with vaccines.  Perhaps it is the Dec VAX or Vacation or Vaccuum as
opposed to vaccine.  Just a thought.
		Jim