home *** CD-ROM | disk | FTP | other *** search
/ ProfitPress Mega CDROM2 …eeware (MSDOS)(1992)(Eng) / ProfitPress-MegaCDROM2.B6I / UTILITY / VIRUS / PCV4RPT.ZIP / ZEROBUG.RPT < prev   
Encoding:
Text File  |  1991-05-09  |  5.0 KB  |  111 lines
  1.  
  2.              *********************************************
  3.              ***   Reports collected and collated by   ***
  4.              ***            PC-Virus Index             ***
  5.              ***      with full acknowledgements       ***
  6.              ***            to the authors             ***
  7.              *********************************************
  8.  
  9.  
  10.  
  11. ===== Computer Virus Catalog 1.2: "Zero Bug" Virus (15-Feb-1990) =====
  12.  
  13. Entry...............: "Zero Bug"
  14. Alias(es)...........: "ZBug","Palette"
  15. Virus Strain........:
  16. Virus detected when.: October 1989
  17.               where.:
  18. Classification......: Link-Virus (extending), RAM - resident
  19. Length of Virus.....: .COM-Files increased by 1536 bytes
  20.                            in RAM : 1792 bytes + environment
  21.  
  22. --------------------- Preconditions ----------------------------------
  23.  
  24. Operating System(s).: MS-DOS
  25. Version/Release.....: 2.xx upward
  26. Computer model(s)...: IBM - PC, XT, AT and compatibles
  27.  
  28. --------------------- Attributes -------------------------------------
  29.  
  30. Easy Identification.: Typical text in Virus body (readable with
  31.                            HexDump-utilities): "ZE","COMSPEC=C:",
  32.                            "C:\COMMAND.COM".
  33.                       .COM files: "seconds" field of the timestamp
  34.                            changed to 62 sec (similar to GhostBalls
  35.                            original Vienna viruses).
  36.  
  37. Type of infection...: System: RAM-resident, infected if string "ZE"
  38.                            is found at offset 0103h (INT 60h).
  39.                       .COM file: extended by using CREATE-function.
  40.                            Adds 1536 bytes to the beginning of the
  41.                            file; a file will not be infected more
  42.                            than once.
  43.                       .EXE File: no infection.
  44.  
  45. Infection Trigger...: When function 3C00h (CREATE) and 4000h (WRITE)
  46.                            of INT 21h is called (e.g. if you use
  47.                            "COPY *.COM <destination>", then every
  48.                            destination-file will be infected).
  49.  
  50. Interrupts hooked...: INT 60h,  INT 21h, INT 1Ch
  51.  
  52. Damage..............: Permanent Damage:
  53.                       1.  Every time a .COM file is created in an
  54.                           infected system with function 3Ch of INT
  55.                           21h, the file will be infected.
  56.  
  57.                       Transient Damage:
  58.                       1.  If INT 1Ch is hooked, every 14 sec INT 21h
  59.                           will be set to the viruscode (programs which
  60.                           hooked INT 21h will be unhooked and hang).
  61.                       2.  All characters "0" (zero) will be exchanged
  62.                           with other characters. Exchange characters
  63.                           are 01h, 2Ah, 5Fh, 3Ch, 5Eh, 3Eh and 30h,
  64.                           in which case the attribute is set to back-
  65.                           ground color (i.e. the character is invi-
  66.                           sible). This routine uses about 10% of CPU-
  67.                           time (system is slowed down accordingly).
  68.                       3.  Modifies the filelength in the Disk
  69.                           Transfer Area (DTA): files doesnot appear
  70.                           as infected. The length of the files with
  71.                           seconds field of timestamp set to 62 sec
  72.                           will be modified in DTA accordingly:
  73.                           filelength := filelength - viruslength.
  74.  
  75. Damage Trigger......: Only if "C:\COMMAND.COM" is infected, INT 1Ch is
  76.                           hooked  and damage is done.
  77.                       After 240 reboots of system, the first damage
  78.                           occurs. The next damage occurs after every
  79.                           fifth reboot.
  80.  
  81. Particularities.....: In case of MS-DOS error in 2.xx, system can hang
  82.                           by infection of "C:\COMMAND.COM".
  83.                       Programs longer than 63728 bytes are not
  84.                           executed correctly after infection.
  85.  
  86. --------------------- Agents -----------------------------------------
  87.  
  88. Countermeasures.....: Category 3: ANTI_ZBG.EXE (VTC Hamburg)
  89.  
  90. - ditto - successful: ANTI_ZBG.EXE finds and restores infected
  91.                       programs.
  92.  
  93.         unsuccessful: Programs which check only the filelength of
  94.                       infected files in an infected system may fail.
  95.  
  96. Standard means......: Notice .COM file length.
  97.  
  98. --------------------- Acknowledgement --------------------------------
  99.  
  100. Location............: Virus Test Center, University Hamburg, FRG
  101. Classification by...: Stefan Tode
  102. Documentation by....: Stefan Tode
  103. Date................: January 20, 1990
  104.  
  105. ===================== End of "Zero Bug"-Virus ========================
  106.  
  107.  
  108.   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  109.   ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++
  110.   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  111.