home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!gatech!paladin.american.edu!darwin.sura.net!jvnc.net!netnews.upenn.edu!netnews.cc.lehigh.edu!news
- From: cspl1@saathi.ernet.in (Dr. Raj Mehta)
- Newsgroups: comp.virus
- Subject: Two new Indian viruses found! (PC)
- Message-ID: <0015.9207271931.AA18193@barnabas.cert.org>
- Date: 23 Jul 92 19:05:07 GMT
- Sender: virus-l@lehigh.edu
- Lines: 120
- Approved: news@netnews.cc.lehigh.edu
-
-
- NEW VIRUS
-
- Two new Indian Viruses have been found. These were uploaded to
- Dr.Alan Solomon by me and his Toolkit now looks out for them.
-
- NAME: MUGSHOT VIRUS (AKA ANIL RAO VIRUS)
- - ----------------------------------------
- DISCOVERED BY:
- Neville Bulsara & Suchit Nanda (Microcomputer Users' Club, Bombay
- & Comsoft Services)
-
- This one's a real coool dude! Got his own(?) mugshot inside, and
- he flashes it around! Wish it were clearer - would help to make
- an example out of him!
-
- INFECTION:
- On booting from an infected floppy disk, the virus takes over the
- interrupt 9h i.e. the keyboard interrupt and the interrupt 13h
- which is the disk interrupt handler.
-
- The keyboard handler does the following:-
- The original keyboard vector is revectored to point to interrupt
- 6Eh which is normally unused. Upon every occurrence of a keyboard
- interrupt, the virus increments a series of variables. Once these
- variables reach a total value of 512b (200h), indicating that a
- total number of 256 keys are depressed, the virus triggers if the
- video mode is medium resolution 4 color (320 x 200 - mode 4). At
- this point, a flag is set to indicate that the threshold has been
- crossed. If the video mode is correct, a mugshot of the "Mug"
- himself is displayed on the top left-hand corner of the screen.
- This mug shot will remain on the screen as long as you remain in
- this graphic mode. If the mode is reset to any other than the one
- required by the virus, the mugshot disappears. However switching
- back to mode 4 at any point results in the mugshot reappearing as
- soon as a key is pressed. In fact, in mode 4 resolution, the
- mugshot is refreshed every time a key interrupt occurs.
-
-
- DISK INTERRUPT HANDLER
- The disk interrupt is mapped to 6Dh like Brain & Print Screen.
- The virus only infects disks in floppy drives A & B.
-
- On closer examination it seems certain that this is a hacked copy
- of the Brain virus. The major change being a completely rewritten
- keyboard handler and the mugshot display. The signature is also
- different. The stealth algorithm is the same as Brain, as is the
- disk handler. Messages have been changed and the name of the
- alleged author of the hack is present in between the code.
- However, we cannot categorically state that Mr.Anil Rao is the
- originator of this virus as changing the name is a relatively
- simple job. What we are convinced is that this virus is of Indian
- origin as it has not been detected elsewhere and Anil Rao is a
- common Indian name.
-
-
- MUGSHOT POEM (Not part of the virus!)
-
- This is the Mugshot virus
- It's a real coool dude
- It's got a real mugshot
- Whatta pity its not in the nude
-
- Its a namby pamby virus
- Which is really a great big pity
- If not you would see RedAlert
- Reaally selling in this city
-
- What this here guy does
- When he's in the mood
- Is display his crappy mugshot
- Which may be why hell be sued
-
- POEM: Peter Theobald (Microcomputer Users' Club)
-
- VA IITD (BAGOBA File Virus)
- - ---------------------------
- Detected by:
- Chetan Varde & Suchit Nanda (Microcomputer Users' Club, Bombay)
-
- Description:
- This virus is a memory resident .EXE file infector only. The only
- way the virus can get into the memory of the computer is by
- execution of an infected .EXE program. Once in the memory the virus
- relocates itself at the Top Of Ram at address 9F60:0000h. It then
- modifies the Top Of Memory location in the PSP by marking it 00A0h
- bytes less than what it actually is. This is done to ensure that DOS
- does not allocate the memory used by the virus to any other program.
- The virus redirects Interrupt 21h calls to itself so that it can
- infect executables when a "load & execute" command is sent to DOS.
- The virus has no self recognition scheme built into it and therefore
- infected .EXE files continue getting reinfected and hence keep
- growing in size. The infection of a file comprises of making the
- .EXE file a perfect multiple of 10h and then appending 663h bytes
- of viral code. The header of the .EXE is modified so that the virus
- gets control first. The virus also increments the MINALLOC field in
- the .EXE file header.
-
- The antivirus VIR_KILL.EXE written by Chetan Varde, a member of
- Microcomputer Users' Club, Bombay finds and cleans-up files infected
- with this virus. The cleaning-up operation works even if the .EXE
- file is infected multiple times by this virus. To ensure that the
- virus is not active when this antivirus program is run, it attempts
- to restore the address of the MS-DOS kernel in the vector table. As
- a result memory resident applications and device drivers may get
- disabled. A reboot is recommended after running the antivirus
- program to ensure proper working of the machine.
-
- If you need any more information on either of them please post a net
- message on Internet to:
- cspl1@shakti.ncst.ernet.in
-
- Suchit Nanda
- Chief Editor - Microcomputer Users' Club
- Product Manager - COMSOFT Services
-
- E-mail (Internet): cspl1@shakti.ncst.ernet.in
- X.400: C=IN A=VSNB G=PETER S=THEOBALD O=COMSOFT
- Add: C-503, Eden-IV, Hiranandani Garden, Powai, Bombay 400 076. INDIA
- Voice: 91-22-5781132 FAX: 91-22-2041389/2040395
-
