home *** CD-ROM | disk | FTP | other *** search
/ ProfitPress Mega CDROM2 …eeware (MSDOS)(1992)(Eng) / ProfitPress-MegaCDROM2.B6I / UTILITY / VIRUS / PCV4RPT.ZIP / FUMANCHU.RPT < prev    next >
Encoding:
Text File  |  1991-05-09  |  4.6 KB  |  101 lines
  1.  
  2.              *********************************************
  3.              ***   Reports collected and collated by   ***
  4.              ***            PC-Virus Index             ***
  5.              ***      with full acknowledgements       ***
  6.              ***            to the authors             ***
  7.              *********************************************
  8.  
  9.  
  10. ==== Computer Virus Catalog 1.2: "Fumanchu-Virus" (15-Feb-1990) ======
  11.  
  12. Entry...............: "Fumanchu- Virus"
  13. Alias(es)...........:
  14. Virus Strain........: Jerusalem-Virus Strain
  15. Virus detected when.:
  16.               where.:
  17. Classification......: Program-virus (extending), RAM- resident
  18. Length of Virus.....: .COM files: program length increases by
  19.                                   2086 bytes
  20.                       .EXE files: program length increases by
  21.                                   2080 - 2095 bytes
  22.  
  23. --------------------- Preconditions ----------------------------------
  24.  
  25. Operating System(s).: MS-DOS
  26. Version/Release.....: 2.xx upward
  27. Computer model(s)...: IBM-PC, XT, AT and compatibles
  28.  
  29. --------------------- Attributes -------------------------------------
  30.  
  31. Easy Identification.: Typical texts in Virus body (readable with
  32.                          HexDump-facilities):
  33.                          1. "sAXrEMHOr" and "COMMAND.COM" in the
  34.                             data area of the virus and
  35.                          2. "rEMHOr" are the last 6 bytes if the
  36.                             infected program is a .COM file.
  37.  
  38. Type of infection...: System: infected if function E1h of INT 21h
  39.                          returns the value 0400h in the AX - register.
  40.                       .COM files: program length increases by 2086
  41.                          bytes if it is infected and the last 6 bytes
  42.                          are "rEMHOr" (identification); a .COM file
  43.                          will not be infected more than once.
  44.                       .EXE files: program length increases by 2080
  45.                          - 2095 bytes; if it is infected, the word
  46.                          checksum in the EXE-header is "1988"; an
  47.                          EXE file will not be infected more than once.
  48.  
  49. Infection Trigger...: Programs are infected when loaded (using the
  50.                          function Load/Execute of Ms-Dos)
  51.  
  52. Interrupts hooked...: INT08h, INT09, INT16, INT21 (INT24 only while
  53.                          infecting a file).
  54.  
  55. Damage..............: Transient Damage:
  56.                       1. The message 'The world will hear from me
  57.                          again!  ' is displayed on every warmboot.
  58.                       2. The virus watches the keyboard input and
  59.                          appends slanders about politicians in the
  60.                          keyboard buffer.
  61.  
  62. Damage Trigger......: Every time the system is infected.
  63.                       Damage 1: always
  64.                       Damage 2: from august 89
  65.  
  66. Particularities.....: 1. .COM files larger than 63193 bytes are no
  67.                               longer loadable after infection.
  68.                       2. .COM files larger than 63449 bytes are
  69.                               destroyed by overwriting.
  70.                       3. Three functions used by Novell- Netware 4.0
  71.                               cannot be used.
  72.                       4. The virus code contains a routine that will
  73.                               automaticly reboot the system between
  74.                               1 and 16 hours. This code is never
  75.                               activated due to a programming mistake.
  76.                       5. All strings are encrypted.
  77.  
  78. --------------------- Agents -----------------------------------------
  79.  
  80. Countermeasures.....: Category 3: ANTIFUMN.EXE (VTC Hamburg)
  81.  
  82. Countermeasures successful: ANTIFUMN.EXE is an antivirus that only
  83.                               looks for the Fumanchu Virus and, if
  84.                               requested, will restore the file.
  85.  
  86. Standard means......: Filelength increased if a program is infected.
  87.  
  88. --------------------- Acknowledgement --------------------------------
  89.  
  90. Location............: Virus Test Center, University Hamburg, FRG
  91. Classification by...: Michael Reinschmiedt
  92. Documentation by....: Michael Reinschmiedt
  93.                       Morton Swimmer
  94. Date................: December 15,1989
  95. ===================== End of "Fumanchu" Virus ========================
  96.  
  97.  
  98.   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  99.   ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++
  100.   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  101.