home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Simtel MSDOS 1992 June
/
SIMTEL_0692.cdr
/
msdos
/
trojanpr
/
solomon.lst
< prev
next >
Wrap
Internet Message Format
|
1989-12-04
|
31KB
Date: 5 Nov 89 15:01:02 GMT (Sun)
From: Alan Solomon <drsolly@ibmpcug.co.uk>
Dr Alan Solomon Day voice: +44 494 791900
S&S Anti Virus Group Eve voice: +44 494 724201
Water Meadow Fax: +44 494 791602
Germain Street, BBS: +44 494 724946
Chesham, Fido node: 254/29
Bucks, HP5 1LP Usenet: drsolly@ibmpcug.co.uk
England Gold: 83:JNL246
CIX, CONNECT drsolly
There has been a number of people recently calling for information
about some of the newer viruses, like Ogre, and Dark Avenger. What
follows are excerpts from the manual of a commercial product; it's OK
for me to post this, as I wrote it and have the copyright! I shan't
mention the name of the product, but I must apologise that the pages
of the manual do refer to various components of the product. Where it
refers to Findvirus, please take this as meaning any virus scanning
program that knows about the virus in question; when it refers to
Peeka, please take this as meaning any disk sector editor. The
paragraph numbers are the chapter numbers in the manual.
I've taken the liberty of calling Ross Greenberg's discovery Fumble
instead of Typo, as there is already a Typo in the literature, and we
don't want two viruses with the same name. Sorry, Ross.
If anyone finds any errors or significant omissions in these
descriptions, please respond via email or fax to me directly.
Finally, could I please lay one myth to rest. Datacrime (called
Columbus day in the US) does the low level format on October 13th and
every day thereafter until December 31st. It does this in versions
1168, 1280 (infective lengths) and Datacrime II. It does NOT do
anything on October 12th, and Datacrime II does NOT go off on Jan 1 to
Oct 12th. Datacrime II refrains from the format on Mondays. The
whole October 12th thing was caused by a misunderstanding about dates,
picked up by the media and turned into a factoid.
The other important thing about Datacrime, is that it is extremely
uncommon indeed. We have had no (zero, nil) cases in the UK, and I
know of only two cases in Holland. Does anyone know of any
*confirmed*, definite, sightings? Apart from Fridrik's self inflicted
accident, of course :-)
4.18 Ogre
Other names - Computer Ogre, Disk Killer
Infects - the boot sector of any writable diskette or hard disk.
Classification - Boot sector virus.
4.18.1 Recognition and detection
If the virus triggers (see below) then recognition is easy. Another
method of recognising it is the 8k of memory lost (so a 640k machine
will show 647168 bytes of memory instead of 655360 bytes). A third
way is if you look at the boot sector using Peeka, it will be full of
program code, without the usual messages like "Not a system disk.".
You can detect infected diskettes by running Chkdsk (which comes with
Dos). If you get 3k of bad sectors on a 360k diskette, that's a sign
of Ogre (Brain and Ashar give the same), as FORMAT marks an entire
track (5k on a 360k diskette) as bad if it finds a defect. Likewise
on other sizes of diskette; one track is the minimum that should be
marked as bad, except of course for zero bad. You can also use
FindVirus from the Toolkit to detect Ogre.
On a hard disk, Ogre doesn't use bad sectors, so can't be detected
that way.
4.18.2 How the virus copies itself
When you boot from an infected diskette, the virus goes memory
resident; this is true whether the diskette is a boot disk or not.
So the usual thing is for someone to have an infected data diskette,
which they leave in drive A when they shut down. Next day when they
start up the computer, it attempts to boot from that diskette; if it
isn't a system diskette, you see the message "Not a system disk.
Please insert a system disk and retry." or a similar message. If that
diskette was infected, the virus is now in memory, and when you
continue the boot, it remains there.
While it is in memory, any disk that you access is liable to be
infected. If you access the diskette (whether read or write) and the
diskette is write enabled then Ogre will replace the boot sector with
its own code, move the boot sector further up the disk, add the rest
of the Ogre code, and mark these sectors as bad in the FAT. But there
is a bug (or perhaps it is deliberate) in the virus; instead of
marking the sectors it has used as bad, it marks a different group.
Ogre also infects hard disks.
4.18.3 What the virus does
If you leave your computer on for 48 hours, and access the hard disk
during the following hour, the virus triggers. It clears the screen,
and puts up "Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/1989"
in black characters on a white background. Then in yellow on green,
it says "Warning !!", and two line down "Don't turn off the power or
remove the diskette while Disk Killer is Processing!". Then in bright
red, and blinking, on black, it says "PROCESSING".
By the time you see that and react to it, it will be too late, as the
disk will be inaccessible. You might decide to switch off in spite of
what Ogre has told you, but even if you do, the disk will have been
made unreadable by then, and your best course will be to re-initialise
the disk and restore the latest backups.
4.18.4 How to get rid of it
Boot from a clean Dos disk; this is a Dos diskette that has come from
the manufacturer, and has never been write enabled. This ensures that
there is nothing unwanted that is installed in memory. Use Findvirus
to determine which diskettes are infected.
Treatment consists of simply copying all the files off an infected
diskette (using "COPY *.*"; do not use Diskcopy or any image copier),
and reformatting the diskette (see below for details). Remember that
Ogre might have written itself onto one (or more) of the files. This
would not make the file infectious, but would mean that if it were a
program, it would not run, and if it were data, the data would be
corrupted.
If a large number of diskettes are potentially infected, then you
should consider borrowing our hopper-fed diskette cleaning machine,
which can handle up to 700 diskettes per hour, sorting them into clean
and contaminated bins.
If you have a major outbreak of Ogre on a large site, then while you
clear it up, you should use Inoculate on all diskettes. This works by
putting the Ogre signature (just two harmless bytes) on the boot
sector of the diskette. If Ogre sees that signature, it thinks that
the diskette is already infected, so doesn't attack it. This means
that if you use a moving line method to clear out Ogre, you can't have
a re-infection following the demarcation line.
In the case of a hard disk, you could use a disk sector editor. Find
the original boot sector (it will be in the bad sectors) and copy it
back to the place where it should be, at Logical Sector Number zero.
I would recommend that you take a full backup before doing this, as if
you get it wrong, you could make your disk inaccessible.
An alternative, and much easier method, is as follows. First boot
from a clean Dos disk. Then make two backups of the hard disk (the
second backup is in case you find that you have a problem restoring
the first backup). With most versions of Dos, SYS will replace the
boot sector, and you can use Findvirus to check that this has worked.
This leaves the body of the Ogre code in between the partition and the
boot sector, but since there is nothing to load it in, it is perfectly
harmless. If in spite of that, you wish to get rid of it, then the
simplest way is a low level format of the hard disk.
4.18.5 Other information
It was first sighted in the US, but we have also had a case in Ealing
near London. Floppy disks are not infected correctly, and Ogre can
write its code into a file on the diskette, not using the bad sectors
that it creates.
Ogre is more infectious than Italian virus, as it can infect 80286 and
80386 machines, which Italian cannot.
4.18.6 Technical details
If the computer is left on for 48 hours, and not accessed during the
next hour, then the trigger is deferred for 255 hours, at which point
a disk access will have the same effect. In order to do this, it
hooks interrupt 8, the timer tick.
To copy itself onto other diskettes, Ogre goes memory resident at boot
up, occupying 8k of memory at the top of memory, and changing the byte
413h to reflect 8k less than the computer has. It hooks interrupt
13h, and attempts to infect on read accesses to a disk.
When Ogre infects a hard disk, it writes the code into the sectors
immediately preceding the boot sector.
4.19 Typo
Other names - None
Infects - the boot sector of any writable diskette or hard disk except
80286 or 80386 machines.
Classification - Boot sector virus.
4.19.1 Recognition and detection
If you look at the boot sector using Peeka or Norton, it will be full
of program code, without the usual messages like "Not a system disk.".
You can detect infected diskettes by running Chkdsk (which comes with
Dos). If you get 1k of bad sectors, that's a good sign of Typo (or
Italian virus), as FORMAT marks an entire track (5k on a 360k
diskette) as bad if it finds a defect. You can also use FindVirus
from the Toolkit to detect Typo.
4.19.2 How the virus copies itself
When you boot from an infected diskette, the virus goes memory
resident; this is true whether the diskette is a boot disk or not.
So the usual thing is for someone to have an infected data diskette,
which they leave in drive A when they shut down. Next day when they
start up the computer, it attempts to boot from that diskette; if it
isn't a system diskette, you see the message "Not a system disk.
Please insert a system disk and retry." or a similar message. If that
diskette was infected, the virus is now in memory, and when you
continue the boot, it remains there.
While it is in memory, any disk that you access is liable to be
infected. If you access the diskette (whether read or write) and the
diskette is write enabled then Typo will replace the boot sector with
its own code, move the boot sector further up the disk, add the rest
of the Typo code, and mark these sectors as bad in the FAT. Typo also
infects hard disks.
4.19.3 What the virus does
It installs a routine that replaces the normal printer handler
routine. It sets a counter to 50, and decrements it each time a
character is printed (unless it is an escape, in which case it
increases it by five). When the counter reaches zero, it does a typo.
A typo consists of a character substitution from the following:
18CKGJMNOU36VW27ckgjmnou49vw
So 1 is substituted for 8 and vice versa, C for K and so on. It also
does a substitution on some of the high order bytes:
80h,92h,9ah,88h,97h,8bh,85h,8fh
This is more meaningful when the Hebrew character set is used.
4.19.4 How to get rid of it
Boot from a clean Dos disk; this is a Dos diskette that has come from
the manufacturer, and has never been write enabled. This ensures that
there is nothing unwanted that is installed in memory. Use Findvirus
to determine which diskettes are infected.
Treatment consists of simply copying all the files off an infected
diskette (using "COPY *.*"; do not use Diskcopy or any image copier),
and reformatting the diskette (see below for details). Alternatively,
you can use UnVirus (part of the Toolkit) to remove the infection from
a diskette; UnVirus is a lot faster.
If a large number of diskettes are potentially infected, then you
should consider borrowing our hopper-fed diskette cleaning machine,
which can handle up to 700 diskettes per hour, sorting them into clean
and contaminated bins.
If you have an outbreak of Typo, then while you clear it up, you
should use Inoculate on all diskettes. This works by putting the Typo
signature (just two harmless bytes) on the boot sector of the
diskette. If Typo sees that signature, it thinks that the diskette is
already infected, so doesn't attack it. You cannot inoculate against
Italian and Typo on the same diskette, as they use different
signatures in the same place.
In the case of a hard disk, you could use a disk sector editor. Find
the original boot sector (it will be in the bad sectors) and copy it
back to the place where it should be, at Logical Sector Number zero.
I would recommend that you take a full backup before doing this, as if
you get it wrong, you could make your disk inaccessible. You could
then patch the FAT to mark the bad sectors as usable. We have not
provided a utility to do this, as there are so many different layouts
of hard disk to cope with.
An alternative, and much easier method, is as follows. First boot
from a clean Dos disk. Then make two backups of the hard disk (the
second backup is in case you find that you have a problem restoring
the first backup). With most versions of Dos, SYS will replace the
boot sector, and you can use Findvirus to check that this has worked,
but this still leaves you with the 2k in bad sectors; this is now
quite harmless, and can be ignored. Alternatively, you can format the
hard disk, using "FORMAT /S/V" and restore the backup; this has the
advantage of reclaiming the fake bad sectors.
4.19.5 Other information
It was first sighted in Israel. It is based on Italian virus, and the
infective code is very similar indeed.
This is a very insidious virus. Printers often give problems, and so
do printer cables. A lot of time will be wasted trying to fix a
hardware fault before the virus is discovered. Likewise, a lot of
genuine printer problems will be blamed on this virus.
4.19.6 Technical details
Like Italian, Typo does not work on 80286 and
80386 machines; if you boot from an infected floppy, the machine
hangs.
4.22 Dark Avenger
Infects - any non-tiny COM or EXE file on any writable Dos device.
Classification - Indirect Action File virus
4.22.1 Recognition and detection
COM files grow by 1800 bytes, EXE files by a similar amount, subject
to rounding up to a multiple of 16. Probably the likeliest give away
for this virus is the way it tries very hard to write to write
protected diskettes, although there is no "Abort, Retry, Ignore?"
message.
4.22.2 How the virus copies itself
It is an Indirect Action File Virus. When you run an infected COM or
EXE file, it goes memory resident. Thereafter, a number of actions
can trigger an infection. The virus makes files read/write and resets
the attribute after infection. It also preserves the date and time of
files. It only infects files if they are larger than about 1800
bytes.
If you copy a file, the source and target are both infected. If you
read a file, it is infected, so if a program looks at all the files on
a disk, that will infect all the files. If you change the attribute
of a file, that will infect it. Loading and executing a file infects
it, just like Jerusalem (1813) virus.
Because of all these infection mechanisms, it is a very infectious
virus.
4.22.3 What the virus does
It writes a sector that starts "Eddie lives...somewhere in time!" to a
random sector on the hard disk, at intervals. This sector might not
land on anything, or it might overwrite part of a program or some
data. The damage done is therefore quite subtle.
4.22.4 How to get rid of it
Boot from a clean Dos disk; this is a Dos diskette that has come from
the manufacturer, and has never been write enabled. This ensures that
Dark Avenger is not installed in memory. You can then remove Dark
Avenger by using Findvirus to search for all instances of the virus.
Every infected file that you find, you can delete, and copy a good
file in its place. Run Findvirus again when you are finished, to make
sure that all instances have been found.
If you want to replace the boot sector with a clean copy, you can take
a full backup, and then use SYS C: to do this.
Finally, you should install ChkVirus on all machines that are
potentially infectable, to provide an early warning of a recurrence of
this or another virus.
4.22.5 Other information
There is a message that says "This program was written in the city of
Sofia (C) 1988-89 Dark Avenger". There is also a string "Diana P." -
neither of these strings are used. The virus only works on Dos 3 and
above.
4.22.6 Technical details
This virus does an end run around the disk interrupts. So any program
that checks to see if anything is using interrupt 13h or 40h will be
fooled. To do this, it attempts to replace interrupts 13h (disk and
diskette) and 40h (diskette). It also replaces interrupt 24h
(critical error) with its own, to suppress the "Abort, Retry, Ignore?"
message when it tries to infect a write-protected disk. This doesn't
work properly, and you can get a number of these messages if diskettes
are write-protected.
In spite of carefully doing the end run round 13h and 40h, it does not
attempt to avoid using interrupt 26h to write to the disk, so any TSR
monitoring program that hooks that interrupt, will stand a chance of
spotting it.
It also replaces interrupt 27h (terminate and stay resident) with its
own version that doesn't let other programs use this method to go TSR,
and replaces interrupt 21h. It also traps the Dos calls to get or set
interrupt 21h and 27h, and if any program tries to do this, it
pretends that it has been done, but doesn't do it.
It uses the boot sector to store data; every time an infected program
is run, it increments a counter which is the last byte of the OEM
label on the boot (byte 0ah), and zeros the four most significant
bits. When this byte is zero (every 16th time), it adds 40h to the
word at offset 8 on the boot.
If the word at offset 8 is less than the number of sectors on the
volume, it writes a sector that starts "Eddie lives...somewhere in
time!" to the sector that it has calculated on the disk.
4.23 Vacsina
Infects - any non-tiny COM or EXE file on any writable Dos device.
Classification - Indirect Action File virus
4.23.1 Recognition and detection
EXE files are converted to COM files, and in the process, they grow by
a hundred bytes or so (132 is typical). The conversion is only done
to files less than 63k, as COM files cannot be larger than that. The
conversion is done to the file format, but not to the file name, so
there is no filename change.
COM files are infected, growing them by 1207 to 1213 bytes. Only
files that are 1206 bytes or larger are infected. When a COM file is
infected, the computer beeps. The file's date is not preserved -
that's the most likely way that this virus will be spotted.
When it infects a file, it accesses drive A, even if the infected
program doesn't.
4.23.2 How the virus copies itself
It is an Indirect Action File Virus. When you run an infected COM or
EXE file, it goes memory resident. Thereafter, any time you load a
COM or EXE file, that file is infected. Readonly files are set to
read/write and it then resets the attribute after infection. EXE
files are infected in two stages - first the conversion to COM, and
then the COM infection. EXE files are not in themselves infectious
though - only COM files contain the code that goes memory resident.
4.23.3 What the virus does
There is no payload to this virus, other than the beep when it infects
a COM file.
4.23.4 How to get rid of it
Boot from a clean Dos disk; this is a Dos diskette that has come from
the manufacturer, and has never been write enabled. This ensures that
Vacsina is not installed in memory. You can then remove Vacsina by
using Findvirus to search for all instances of the virus. Every
infected file that you find, you can delete, and copy a good file in
its place. Run Findvirus again when you are finished, to make sure
that all instances have been found.
Finally, you should install ChkVirus on all machines that are
potentially infectable, to provide an early warning of a recurrence of
this or another virus.
4.23.5 Other information
The virus is named after the string VACSINA that is found in each copy
of it. But it isn't clear how this virus could be considered a
vaccinator in any sense.
4.23.6 Technical details
The string VACSINA is a file name, of a file that it looks for on
drive A. If it finds it, it opens the file using an FCB call
(interrupt 21h, function 0fh. The file is left open as it does the
infection, and when the infection terminates normally, the file is
closed using an FCB call interrupt 21h, function 10h. I cannot see
the purpose of this call, unless it was something to do with
debugging.
The virus author makes extensive use of the Dos function 45h,
duplicate a file handle. This is done for error handling, and is not
a feature of any other virus so far.
4.24 Mix1
Infects - any non-tiny EXE file on any writable Dos device.
Classification - Indirect Action File virus
4.24.1 Recognition and detection
This is a virus with a lot of interesting effects, any of which might
be noticed. The most obvious is the garbling of serial and parallel
port information; the garble is quite noticeable.
In late generation infections (see below for details) the virus
displays a bouncing ball, the lower case letter "o", which bounces off
the sides of the screen like a ping pong ball. It is not deflected by
letters on the screen (unlike Italian virus) but does replace letters
that it passes over. the bouncing ball display comes up 60 minutes
after the virus goes memory resident.
Also in late generation infections, after 50 minutes the keyboard
handler is replaced, with a routine that always turns off Caps Lock,
and always switches Num Lock on. Also, if you reboot at that time, it
triggers the video display.
The virus doesn't disable the "Abort, Retry, Ignore" message, so that
if it tries to infect a write protected diskette, it gives that
message.
Only EXE files are infected, and they grow by 1620 or so bytes. Files
are not infected unless they are greater than 8192 bytes.
4.24.2 How the virus copies itself
It is an Indirect Action File Virus. When you run an infected EXE
file, it goes memory resident. Thereafter, any time you load an EXE
file, that file is infected. Readonly files are set to read/write and
it then resets the attribute after infection. The memory resident
part of the virus is in high conventional memory, consuming 2048
bytes.
4.24.3 What the virus does
The main effect is the garbling of the parallel and serial ports,
which will affect modems and printers. It uses a simple table; here
is the translation for letters (numbers are unaffected).
abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ becomes
ebsdapghejklmnufqrctovwxyz BECDAPGHYJKLMNUFQRSTOVWXIZ
So, for example,
Bad command or file name becomes
Eed summend ur pela nema
4.24.4 How to get rid of it
Boot from a clean Dos disk; this is a Dos diskette that has come from
the manufacturer, and has never been write enabled. This ensures that
Mix1 is not installed in memory. You can then remove Mix1 by using
Findvirus to search for all instances of the virus. Every infected
file that you find, you can delete, and copy a good file in its place.
Run Findvirus again when you are finished, to make sure that all
instances have been found.
If the outbreak is on a large site, you can use Inoculate to prevent a
re-infestation as you clean up.
Finally, you should install ChkVirus on all machines that are
potentially infectable, to provide an early warning of a recurrence of
this or another virus.
4.24.5 Other information
This virus is modelled after the Icelandic viruses, but the virus
author has put everything that he can think of into the payload. It
was first detected in Israel in August 1989.
4.24.6 Technical details
There is a counter in the virus, which counts the number of infections
since the virus went memory resident, and this counter is written out
to each infected file. If the counter is greater than 5, then when
such a late generation instance of the virus goes TSR, it replaces the
timer tick (int 8) and the keyboard handler (int 9), as well as int
14h (serial) and int 17h (parallel). It is the replacement of int 8
and 9 that eventually trigger the bouncing o display, the caps lock
and num lock twiddling, and the reboot display. This doesn't work
properly, and on a CGA, just triggers typical CGA snow.
To go memory resident, the virus uses Memory Control Blocks directly,
instead of using the Dos interrupts to do so.
4.25 Fumble
Infects - any COM file on any writable Dos device.
Classification - Direct Action File virus
4.25.1 Recognition and detection
This virus makes you seem to hit the wrong key, but only rarely. COM
files grow by 867 bytes.
The virus doesn't disable the "Abort, Retry, Ignore" message, so that
if it tries to infect a write protected diskette, it gives that
message. However, it does preserve date/time, and the file's
attribute (it temporarily sets it to read/write in order to infect
it).
4.25.2 How the virus copies itself
It is an Direct Action File Virus. When you run an infected COM file,
it infects every other uninfected COM file in that subdirectory. It
detects whether a file is infected or not, by looking for the
characters "V1" immediately after the original infected program.
On odd days (the first, third, fifth etc of each month) it does not
infect.
4.25.3 What the virus does
The virus replaces the keyboard handler, interrupt 16h. If it is in
place, it occasionally replaces the key that is typed, with the key
immediately to the right (actually, it is a bit more complicated than
this - see below).
4.25.4 How to get rid of it
Boot from a clean Dos disk; this is a Dos diskette that has come from
the manufacturer, and has never been write enabled. This ensures that
Fumble is not installed in memory. You can then remove Fumble by
using Findvirus to search for all instances of the virus. Every
infected file that you find, you can delete, and copy a good file in
its place. Run Findvirus again when you are finished, to make sure
that all instances have been found.
Finally, you should install ChkVirus on all machines that are
potentially infectable, to provide an early warning of a recurrence of
this or another virus.
4.25.5 Other information
This virus has only ever been found on one site.
4.25.6 Technical details
The virus defines a new function for interrupt 16h, function 0ddh. If
interrupt 16h is called with that in the AH register, then it returns
with 0ddh in the AL register. The virus uses this to determine
whether it is already installed.
The fumble table used is:
`12345687790-=\~!@#$%^&*()_+|qwertyuiop[][asdfghjkl;'
zxcvbnm,./QWERTYUIOP{}ASDFGHJKL:";ZXCVBNM<>?.
The way the table is used is, each letter is replaced by the letter on
the right.
The fumble only activates if you type at better than six characters
per second (approximately 60 wpm). If you type at that speed, after
not using the keyboard for five seconds, you get a fumble. There is
code in the virus that should gradually decrease that five second gap,
but it doesn't work correctly.
4.26 Dbase
Infects - any COM file on any writable Dos device.
Classification - Indirect Action File virus
4.26.1 Recognition and detection
COM files grow by 1864 bytes, and 1884 bytes are subtracted from the
top of conventional memory, which would be shown up by Chkdsk or
Checkmem (in the Toolkit).
The virus doesn't disable the "Abort, Retry, Ignore" message, so that
if it tries to infect a write protected diskette, it gives that
message. However, it does preserve date/time, and the file's
attribute (it temporarily sets it to read/write in order to infect
it).
.DBF files are garbled (see below for details). The virus creates a
hidden file in the root directory called C:\BUGS.DAT.
The way you are most likely to detect this virus is if you copy a file
with the extension DBF to an uninfected computer, and then you find
that a database that is fine on the infected computer, is garbled on
the clean one.
4.26.2 How the virus copies itself
It is an Indirect Action File Virus. When you run an infected COM
file, part of the virus goes memory resident. Then, when you run
another COM program, it infects that from the memory resident part.
4.26.3 What the virus does
It intercepts the Dos functions to create, open, read, write and close
a file. If the file does not have the DBF extension, it ignores it
(DBF is a common extension for database files). If it does have a DBF
extension, it garbles it.
The garble is very simple - it just interchanges pairs of bytes; it
is equally easy to ungarble a garbled file, by writing a program that
swaps pairs of bytes back again. We have written such a program, and
it available free of charge to any registered user of the Anti-Virus
Toolkit that has been affected by this virus. It isn't on the Toolkit
diskette, as the virus has only ever been seen on one site.
The virus creates a hidden file C:\BUGS.DAT that contains the list of
garbled files. If you create a .DBF file (whether you start up a new
database, or copy a file, or make a backup to a file with this name)
three months after the BUGS.DAT file is created, then a damage routine
is triggered. The same thing happens if the system date is three
months before the date of BUGS.DAT.
The first thing to say is that the damage routine doesn't actually
work. This is because of a bug in it. But if it had worked, it would
have written garbage over the first 256 sectors on the hard disk,
overwriting the boot, both copies of the File Allocation Table, and
the whole directory. It does this to every device attached to the
computer, starting at device D, and working up to device Z. On most
computers, there is no drive D, and the system will just hang, with no
damage done. On networks, the direct write to the device will be
disallowed by the network software. So the only time this routine
will work, is if there is a local drive D.
4.26.4 How to get rid of it
Boot from a clean Dos disk; this is a Dos diskette that has come from
the manufacturer, and has never been write enabled. This ensures that
Dbase is not installed in memory. You can then remove Dbase by using
Findvirus to search for all instances of the virus. Every infected
file that you find, you can delete, and copy a good file in its place.
Run Findvirus again when you are finished, to make sure that all
instances have been found.
Finally, you should install ChkVirus on all machines that are
potentially infectable, to provide an early warning of a recurrence of
this or another virus.
4.26.5 Other information
This virus has only ever been found on one site. It seems to be
targetted, as it only attacks .DBF files.
4.26.6 Technical details
To determine whether the virus is already memory resident, it puts
0fb0ah in the AX register, and calls interrupt 21h. If the interrupt
returns with 0afbh in the AX register, then the virus was already
installed.
The virus traps dos interrupt 21h, functions 6ch (Dos 4 create file
extended), 5bh (create new file), 3ch (create file), 3dh (open file),
3fh (read file), 40h (write to file) and 3eh (close file). It also
traps 4bh, and uses this as the trigger to infect a file.
