home *** CD-ROM | disk | FTP | other *** search
-
- *********************************************
- *** Reports collected and collated by ***
- *** PC-Virus Index ***
- *** with full acknowledgements ***
- *** to the authors ***
- *********************************************
-
-
-
- Vesselin Bontchev reported in May 1990:
-
- The V800 virus (Live after Death)
- =================================
-
- I was already sending this letter, when a new virus popped up. I
- haven't studied it yet. At a first glance, it has the following
- properties:
-
- - The virus infects .COM-files in a rather strange way. Large parts
- of them can be found in the virus body and parts of the virus can be
- found in the file (before the end of the original - non-infected -
- file). It does not infect files with size less than 1024 bytes. It
- seems that COMMAND.COM is never infected (there is a check for 'CO'
- and 'MM' in the virus body). Sometimes the virus can attach itself
- multiple times to a file. Files grow by 800 bytes after each
- infection.
-
- - Files are infected both when one executes them and when one copies
- them.
-
- - The virus is memory resident. It uses 8 K of memory. I still
- cannot figure out why so much memory is needed.
-
- - The virus is able to fetch the original INT 13h handler in PC-DOS
- version 3.30. This is achieved in the same manner as in the Number
- of the Beast (512) virus.
-
- - The virus does not intercept INT 21h. Instead, it intercepts INT
- 2Ah, function 82h. This interrupt is called on every DOS function
- call, which deals with files.
-
- - The virus is encrypted. It seems that the encrypted part does not
- change from file to file (as the Cascade virus does), but I'm not
- sure.
-
- - When the virus decrypts itself in memory, the string "Live after
- Death" appears in its body. I have suspicions that this virus was
- also created by the Dark Avenger.
-
-
- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++
- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++