home *** CD-ROM | disk | FTP | other *** search
/ ProfitPress Mega CDROM2 …eeware (MSDOS)(1992)(Eng) / ProfitPress-MegaCDROM2.B6I / UTILITY / VIRUS / PCV4RPT.ZIP / SURIV.RPT < prev    next >
Encoding:
Text File  |  1991-05-09  |  9.8 KB  |  206 lines
  1.  
  2.              *********************************************
  3.              ***   Reports collected and collated by   ***
  4.              ***            PC-Virus Index             ***
  5.              ***      with full acknowledgements       ***
  6.              ***            to the authors             ***
  7.              *********************************************
  8.  
  9.  
  10.   JERUSALEM precursors: SURIV 1, 2 & 3
  11.   ====================================
  12.  
  13.   These are earlier versions of JERUSALEM and were once considered
  14.   extinct.  However versions were reported at large in the USSR, late
  15.   1990.
  16.  
  17.           SURIV 1 (897 bytes) Infects COM files only and displays
  18.                    message on 1st April, any year:
  19.                    'APRIL 1ST HA HA HA YOU HAVE A VIRUS'
  20.                    and the machine locks.
  21.                    After 1st April 1988, the virus produces message:
  22.                    'YOU HAVE A VIRUS!!!',
  23.  
  24.           SURIV 2 (1488 bytes) Infects EXE files only and displays
  25.                    similar effects on 1st April only.
  26.                    Machine also locks one hour after infection if
  27.                    the year is 1980 or if the date is 6th April 1988.
  28.  
  29.           SURIV 3 (1808 bytes) Infects both COM and EXE files and very
  30.                    similar to Jerusalem, the main difference being
  31.                    that the system slowdown occurs after 30 seconds,
  32.                    not 30 minutes.
  33.  
  34.    Detailed descriptions follow:
  35.       
  36. === Computer Virus Catalog 1.2: "sURIV 1.01 Virus" (15-Feb-1990) =====
  37. Entry...............: "sURIV 1.01"
  38. Alias(es)...........:
  39. Virus Strain........: Jerusalem-Virus
  40. Virus detected when.:
  41.               where.:
  42. Classification......: Link - Virus (extending), RAM - resident
  43. Length of Virus.....: .COM - Files: Program length increases
  44.                       by 897 bytes
  45. --------------------- Preconditions ----------------------------------
  46. Operating System(s).: MS-DOS
  47. Version/Release.....: 2.xx upward
  48. Computer model(s)...: IBM - PC, XT, AT and compatibles
  49. --------------------- Attributes -------------------------------------
  50. Easy Identification.: Typical text in Virus body (readable with
  51.                            HexDump-utilities): "sURIV 1.01"
  52.  
  53. Type of infection...: System: RAM-resident.
  54.                       .COM file: extended by using EXEC-function. A
  55.                            file will not be infected more than once.
  56.                            'COMMAND.COM' will not be infected.
  57.                       .EXE File: no infection.
  58. Infection Trigger...: When function 4B00H of INT 21H (EXEC) is called.
  59. Interrupts hooked...: INT 21H, INT 24H
  60.  
  61. Damage..............: Permanent Damage: ---
  62.                       Transient Damage: The virus examines the current
  63.                            date. Every 1st April in a year greater
  64.                            than 1987, the virus will display the mes-
  65.                            sage "APRIL 1ST HA HA HA YOU HAVE A VIRUS"
  66.                            and the computer will hang in an endless
  67.                            loop. If day is greater than 1st April,
  68.                            only "YOU HAVE A VIRUS !!!" is displayed.
  69. Particularities.....: Programs longer than 64382 bytes are no longer
  70.                            loadable.
  71. --------------------- Agents -----------------------------------------
  72. Countermeasures.....:
  73. - ditto - successful:
  74. Standard means......:
  75. --------------------- Acknowledgement --------------------------------
  76. Location............: Virus Test Center, University Hamburg, FRG
  77. Classification by...: Thomas Lippke
  78. Documentation by....: Thomas Lippke
  79. Date................: February 20, 1990
  80.  
  81.      ---------  more - Report on SURIV 2 follows ------------
  82.  
  83.  
  84. ====== Computer Virus Catalog 1.2: "SURIV 2.01" (5-June-1990) =======
  85. Entry...............: "SURIV 2.01"
  86. Alias(es)...........: "APRIL 1ST"
  87. Virus Strain........: Jerusalem-Virus
  88. Virus detected when.: ---
  89.               where.: ---
  90. Classification......: Link - Virus (extending), RAM - resident
  91. Length of Virus.....: .EXE - Files: Program length increases
  92.                                     by 1488 bytes
  93. ------------------- Preconditions -----------------------------------
  94. Operating System(s).: MS-DOS
  95. Version/Release.....: 2.xx upward
  96. Computer model(s)...: IBM - PC, XT, AT and compatibles
  97. ------------------- Attributes --------------------------------------
  98. Easy Identification.: Typical text in Virus body (readable with
  99.                       HexDump-utilities): "sURIV 2.01"
  100. Type of infection...: System: RAM-resident.
  101.                       .EXE file: extended by using EXEC-function;
  102.                            files will not be infected more than once.
  103.                       .COM File: no infection.
  104. Infection Trigger...: When function 4B00H of INT 21H (EXEC) is called.
  105. Interrupts hooked...: INT 1C, INT 21H, INT 24H
  106. Damage..............: Permanent Damage: --
  107.                       Transient Damage:
  108.                          The virus examines the current date. On every
  109.                          1st April, the virus will display the message
  110.                          "APRIL 1ST HA HA HA YOU HAVE A VIRUS", and
  111.                          the computer will hang in an endless loop.
  112.                          In 1980 and on every Wednesday after 1. April
  113.                          1988, the computer will hang at latest 55
  114.                          minutes after system infection in an endless
  115.                          loop.
  116. Particularities.....: One function (0DEH) used by Novell - Netware 4.0
  117.                       can't be used.
  118. -------------------- Agents ------------------------------------------
  119. Countermeasures.....: ---
  120. - ditto - successful: ---
  121. Standard means......: Notice .EXE file length.
  122.                       Typical text in virus body: "sURIV 2.01"
  123. -------------------- Acknowledgement ---------------------------------
  124. Location............: Virus Test Center, University Hamburg, FRG
  125. Classification by...: Thomas Lippke
  126. Documentation by....: Thomas Lippke
  127. Date................: 5-June-1990
  128.  
  129.              ------- more report on SURIV 3 follows ---------
  130.  
  131. === Computer Virus Catalog 1.2: "Suriv 3.00" Virus (5-June-1990) =====
  132. Entry...............: Suriv 3.00
  133. Alias(es)...........: Jerusalem (B) = Israeli #3 Virus
  134. Virus Strain........: Israeli-Virus
  135. Classification......: Program Virus (extending), RAM-resident
  136. Length of Virus.....: .COM files: length increases by 1813 bytes.
  137.                       .EXE files: length increases by 1808-1823 bytes.
  138.                                 (.EXE file length must be a multiple
  139.                                 of 16 bytes, as in any .EXE file)
  140.  
  141. ------------------ Preconditions -----------------------------------
  142. Operating System(s).: MS-DOS,PC-DOS
  143. Version/Release.....: 2.xx upward
  144. Computer model(s)...: IBM-PC, XT, AT and compatibles
  145. ------------------- Attributes --------------------------------------
  146. Easy Identification.: Typical texts in Virus body (readable with
  147.                             HexDump facilities):  "sURIV 3.00".
  148.  
  149. Type of infection...: System: infected if function E0h of INT 21h
  150.                               returns value 0300h in the AX-register.
  151.                       .Com files: program length increases by 1813;
  152.                               files are infected only once;
  153.                               COMMAND.COM will not be infected.
  154.  
  155.                       .EXE files: program length increases by 1808
  156.                               - 1823 bytes, and no identification is
  157.                               used; therefore, .EXE files can be
  158.                               infected more than once.
  159.  
  160. Infection Trigger...: Programs are infected at load time (using the
  161.                       function Load/Execute of MS-DOS).
  162. Interrupts hooked...: INT21h, INT08h
  163. Damage..............: 1. 30 seconds after the 1st infected program
  164.                          was run, the virus scrolls up 2 Lines in a
  165.                          small window of the screen ( left corner 5,5;
  166.                          right corner  16,16).
  167.  
  168.                       2. The virus slows down the system by about 10
  169.                           %.
  170.  
  171. Damage Trigger......: Every time when the system is infected.
  172. Particularities.....: 1. The version of the Suriv 3.00 which we have
  173.                          analyzed compares the system-date with
  174.                          "Friday 13th", but is not able to recognize
  175.                          "Friday 13th", because of a "bug"; if it cor-
  176.                          rectly recognized this date, it would delete
  177.                          any program started on "Friday 13th".
  178.                       2. .EXE files can be infected many times.
  179.                       3. Novell Netware 4.0 functions, esp. "Print
  180.                          Spooling" (INT21h/E0h), "Set Error Mode"
  181.                          (INT21h/DDh) and "Set Broadcast Mode"
  182.                          (INT21/DEh) cannott be used.
  183.  
  184. --------------------- Agents -----------------------------------------
  185.  
  186. Countermeasures.....: The virus will be detected by :
  187.                       VIRSUCH  2.15 (D. Hoppenrath) as Israeli #3
  188.                       F-FCHK   1.08 (F. Skulason)   as
  189.                                                 Israeli/Jerusalem
  190.  
  191.                       SCAN     3.1  (McAfee)        as Jerusalem Ver.
  192.                       B FINDVIRU 6.04 (Solomon)       as Suriv 3
  193.                       Several Antiviruses do not work safely.
  194.  
  195. -------------------- Acknowledgement ---------------------------------
  196. Location............: Virus Test Center, University Hamburg, FRG
  197. Classification by...: Jrg Steindecker
  198. Documentation by....: Jrg Steindecker, Joe Hirst (BCVRC)
  199. Date................: 5-June-1990
  200. Updates by..........: ---
  201.  
  202.  
  203.   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  204.   ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++
  205.   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  206.