home *** CD-ROM | disk | FTP | other *** search
-
- *********************************************
- *** Reports collected and collated by ***
- *** PC-Virus Index ***
- *** with full acknowledgements ***
- *** to the authors ***
- *********************************************
-
-
-
- ===== Computer Virus Catalog 1.2: Sadam Virus (14-February-1991) =====
- Entry...............: Sadam Virus
- Alias(es)...........: =Saddam Virus
- Virus strain........: Stupid Virus Strain (?)
- Virus detected when.: 1-October-1989
- where.: BBS in Israel
- Classifications.....: COM file infecting virus/extending, resident.
- Length of virus.....: 917-924 bytes, depending on size of name
- of infected file.
- Length of Virus.....: 919 bytes appendend (CBh+2CCh)
- --------------------- Preconditions ----------------------------------
- Operating system(s).: MS-DOS
- Version/release.....: 2.0 or higher
- Computer model(s)...: IBM PC,XT,AT and compatibles
- --------------------- Attributes -------------------------------------
- Identification......: Memory: INT 6Bh points to original INT 21h.
- (see Particularities [4])
- .COM files: The encryped message; to decrypt
- the string, add 6 to each char, the terminat-
- ing char is 24h before adding 6. The name of
- the infected file is stored with the virus.
- (name is stored at infection time; later
- renaming will not be recognized!)
- Type of infection...: System: The virus copies itself to high memory
- at the adress [0:413]*40h-867h.
- The virus does not diminish the memory size
- by what is written in [0:413], nor will DOS
- regard that area as used; therefore, big
- programs may hang-up the system.
- .COM files: Extends .COM files; appends 919
- bytes to the end of the file.
- .EXE files: Not infected.
- Infection trigger...: Several file services of INT 21h
- Interrupts hooked...: INT 21h, INT 6Bh.
- Damage..............: Displays the message:
- "HEY SADAM"{LF}{CR}
- "LEAVE QUEIT BEFORE I COME" (wrong syntax)
- Damage trigger......: Counts the number of infections; on every 8th
- infection, the string will be displayed.
- Particularities.....: 1. Many programs load themself to this area and
- therefore erase the virus from memory.
- 2. The virus uses INT 6BH replacement for the
- original INT 21H.
- 3. The virus infects just files in the current
- directory.
- 4. If the disk is write-protected, the message
- from DOS about write protection will be dis-
- played when the virus tries to spread.
- 5. The virus will not be able to change files
- that have the Read-Only attribute set.
- --------------------- Agents -----------------------------------------
- Countermeasures.....: F-Prot 1.13 RESIDENT PART ONLY: identifies the
- virus as The Stupid Virus and does not let
- the program get into memory.
- --------------------- Acknowledgement --------------------------------
- Classification by...: Baruch Even (NYEVENBA@WEIZMANN.BITNET)
- Matthias Jaenichen, VTC-Hamburg
- Documentation by....: Matthias Jaenichen, VTC-Hamburg
- Date................: 5-October-1990
- Update..............: 14-February-1991
- Information Source..: ---
- ===================== End of Sadam - Virus ===========================
-
-
- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++
- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++�
-
