home *** CD-ROM | disk | FTP | other *** search
-
- *********************************************
- *** Reports collected and collated by ***
- *** PC-Virus Index ***
- *** with full acknowledgements ***
- *** to the authors ***
- *********************************************
-
-
- Date: 15 November, 1990
- From: Padgett Peterson <padgett%tccslr.dnet@uvs1.orl.mmc.com>
- Subject: New MS-DOS Virus (PC)
-
- Have just had an opportunity to examine (briefly) a new virus as yet
- unnamed (DataLock/920 ?). This does not appear to be a very great
- threat since it does apparently nothing to hide itself (but then,
- neither does the Jerusalem).
-
- The virus infects a machine by running an infected file. It goes
- resident in the Top Of Memory reducing a CHKDSK return by 2048 bytes
- (a 640k machine will return 653312 bytes total memory instead of
- 655360. Int 12 is not affected so a comparison will result in a
- mismatch similar to the 4096. Each time an .EXE file is executed, it
- will increase in size by 920 bytes. The virus will only infect a
- file once but will infect any .EXE executed. The string "DataLock
- version 1.00" was found in clear near the end of an infected test
- file & at location 9000:fca8 in memory on my 640k isolation machine.
-
- The virus appears to trap INT 21 and determines if it is in memory
- by returning a value of 1234 in AX if INT 21 is called with function
- BE.
-
- The current version of SCAN (v67c) does not yet detect this but all
- of you do check the "three bytes", don't you.
-
- Further information will be posted as discovered.
-
- Padgett, just back from the
- CSI Conference in Atlanta and had a great time.
-
-
- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++
- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- �
