home *** CD-ROM | disk | FTP | other *** search
/ ProfitPress Mega CDROM2 …eeware (MSDOS)(1992)(Eng) / ProfitPress-MegaCDROM2.B6I / UTILITY / VIRUS / PCV4RPT.ZIP / SYSLOCK.RPT < prev    next >
Encoding:
Text File  |  1991-05-09  |  5.1 KB  |  113 lines
  1.  
  2.              *********************************************
  3.              ***   Reports collected and collated by   ***
  4.              ***            PC-Virus Index             ***
  5.              ***      with full acknowledgements       ***
  6.              ***            to the authors             ***
  7.              *********************************************
  8.  
  9.  
  10. ==== Computer Virus Catalog 1.2: "Syslock" Virus (15-Feb-1990) ======
  11.  
  12. Entry.................. Syslock
  13. Alias(es).............. ---
  14. Strain................. Advent/Macho/Syslock family
  15. Detected: when......... July 1989 (?)
  16.           where........ USA
  17. Classification......... Program Virus (postfix)
  18. Length of Virus........ 3550-3560 (dec) bytes appended on
  19.                              paragraph boundary
  20.  
  21. ----------------------- Preconditions--------------------------------
  22. Operating System(s).... MS/PC-DOS
  23. Version/Release........ 3.00 and upwards
  24. Computer models........ All IBM PC compatibles.
  25.  
  26. ----------------------- Attributes------------------------------------
  27.  
  28. Easy identification.... Any string "MICROSOFT" is replaced with
  29.                              "MACROSOFT".
  30.  
  31. Type of infection...... The virus infects both COM and EXE files.
  32.                         EXE files: the virus checks the checksum in
  33.                              the EXE header for 7CB6h, in which case
  34.                              no infection will occure.
  35.                         COM files: are checked by looking for the
  36.                              string 39,28,46,03,03,01 (hex) at offset
  37.                              10h. The virus is not RAM resident,
  38.                              therefore it will only infect when the
  39.                              host is run. It infects by searching
  40.                              through the directories on the current
  41.                              drive and randomly choosing files and
  42.                              directories to infect or search. It will
  43.                              not infect any other drive than the
  44.                              current one. It will infect COMMAND.COM.
  45.  
  46. Infection trigger...... Virus will infect any time it is run.
  47.  
  48. Media affected......... All disks that are addressable using standard
  49.                              DOS functions.
  50.  
  51. Interrupts hooked...... ---
  52.  
  53. Damage................. Will replace any occurance of "MICROSOFT"
  54.                              with "MACROSOFT". It does this by using
  55.                              the DOS (not BIOS) interrupts 25h and
  56.                              26h, and searching the disk from
  57.                              beginning to end, sector by sector.  It
  58.                              tries 20h sectors at a time, and stores
  59.                              the last sector infected in the file
  60.  
  61.                              "\DOS\KEYB.PCM", which is marked "system"
  62.                              and "hidden". After reaching the last
  63.                              sector, it will start from the beginning
  64.                              again.
  65.  
  66. Damage trigger......... Every time the host is run, after 1-Jan-1985.
  67.  
  68. Particularities........ The virus checks for the environment variable
  69.                              "SYSLOCK=@" (therefore its name), in
  70.                              which case it will not infect. The virus
  71.                              is encrypted using a variable key.
  72.                              The functions of DOS interrupts 25h and
  73.                              26h have been changed in DOS 4.0.
  74.  
  75. Similarities........... See Macho virus documentation
  76.  
  77. ----------------------- Agents----------------------------------------
  78.  
  79. Countermeasures........ Use the environment variable described
  80.                              above as a first aid measure only. Here's
  81.                              one of the few strings that can safely be
  82.                              searched for:
  83.  
  84.                             50,51,56,BE,59,00,B9,26,08,90,D1,E9,8A,E1,
  85.                             8A,C1,33,06,14,00,31,04,46,46,E2,F2,5E,59
  86.  
  87.                              This string will however identify Advent
  88.                              and Macho as well.
  89.  
  90.  - ditto - successful.. For proper treatment, my antivirus "NTISYSL"
  91.                              is highly recommended (in all humility).
  92.                              Treatment by hand is very tedious and
  93.                              only for experts.
  94.  
  95. Standard Means......... Booting from a write-protected disk and
  96.                              restoring all COM and EXE files from the
  97.                              original disks is the only way.
  98.  
  99. ----------------------- Acknowledgements------------------------------
  100.  
  101. Location............... Virus Test Center, University of Hamburg, FRG
  102. Classification by...... Morton Swimmer
  103. Documentation by....... Morton Swimmer
  104. Date................... 1-Dec-1989
  105. Information source..... ---
  106.  
  107. ======================= End of "Syslock" Virus =======================
  108.  
  109.  
  110.   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  111.   ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++
  112.   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  113.