home *** CD-ROM | disk | FTP | other *** search
/ ProfitPress Mega CDROM2 …eeware (MSDOS)(1992)(Eng) / ProfitPress-MegaCDROM2.B6I / UTILITY / VIRUS / PCV4RPT.ZIP / DBASE.RPT < prev    next >
Encoding:
Text File  |  1991-05-09  |  5.2 KB  |  106 lines
  1.  
  2.              *********************************************
  3.              ***   Reports collected and collated by   ***
  4.              ***            PC-Virus Index             ***
  5.              ***      with full acknowledgements       ***
  6.              ***            to the authors             ***
  7.              *********************************************
  8.  
  9.  
  10. ====== Computer Virus Catalog 1.2: "dBase" Virus (15-Feb-1990) =======
  11. Entry...............: "dBase" Virus
  12. Alias(es)...........: ---
  13. Virus Strain........: ---
  14. Virus detected when.: October 1989
  15.               where.: ---
  16. Classification......: Link - Virus (extending), RAM - resident
  17. Length of Virus.....: .COM - Files: Program length increases
  18.                              by 1864 bytes
  19. --------------------- Preconditions ----------------------------------
  20. Operating System(s).: MS-DOS
  21. Version/Release.....: 2.xx upward
  22. Computer model(s)...: IBM - PC, XT, AT and compatibles
  23. --------------------- Attributes ------------------------------------
  24. Easy Identification.: Typical text in Virus body (readable with
  25.                       HexDump-utilities): "c:\bugs.dat"
  26. Type of infection...: System: RAM-resident, infected if function
  27.                               FB0AH of INT 21H returns with 0AFBH
  28.                               in AX register.
  29.                       .COM file: extended by using EXEC-function.
  30.                               A file will only be infected once.
  31.                       .EXE File: no infection.
  32. Infection Trigger...: When function 4B00H of INT 21H (EXEC) is called.
  33. Interrupts hooked...: INT 21H
  34. Damage..............: Permanent Damage:
  35.                       1. Every time a .DBF file is created in an
  36.                               infected system with function 3CH, 5BH
  37.                               or 6CH of INT 21H, the complete filename
  38.                               of the new .DBF file will be inserted in
  39.                               the hidden file "c:\bugs.dat".
  40.  
  41.                       2. On every write operation to a file
  42.                               registered in "bugs.dat", all
  43.                               neighboring bytes will be interchanged
  44.                               (e.g.: "01 02 03 04" changed to "02 01
  45.                               04 03").
  46.  
  47.                       3. On every read operation from a file regis-
  48.                               tered in "bugs.dat", the bytes will be
  49.                               interchanged again, so that no modifi-
  50.                               cation is visible.
  51.  
  52.                       4. If the filename of the .DBF file is
  53.                               modified, so that it does not correspond
  54.                               to the filename registered in
  55.                               "bugs.dat", or read/write operations
  56.                               happen in a non- infected system, the
  57.                               bytes will no longer be modified by the
  58.                               virus and they appear defective.
  59.  
  60.                       Transient Damage:
  61.                              Every time a new .DBF file is created,
  62.                              the virus examines the age of "bugs.dat".
  63.                              If the difference between the month of
  64.                              creation and the current month is greater
  65.                              than 2, the computer will hang in an end-
  66.                              less loop.
  67.  
  68. Particularities.....: - In case of a program error in the virus,
  69.                         single bytes in the .DBF file could be over-
  70.                         written incorrectly by write operations!
  71.                       - Programs longer than 63415 bytes are no longer
  72.                         loadable.
  73.  
  74. Special remark......: The original virus contains code which erases
  75.                         (INT 21)  the infected DBF file structure
  76.                         after a certain time; Ross Greenberg who
  77.                         detec- ted this virus patched the essential
  78.                         instruc- tion with INT 03 such that the
  79.                         destructive part does no longer work; the rest
  80.                         of the code was not changed.  Unfortunately,
  81.                         the changed code escaped one virus expert's
  82.                         computer.
  83.  
  84. ------------------ Agents -------------------------------------------
  85.  
  86. Countermeasures.....: Category 3: ANTI_DBS.EXE (VTC Hamburg)
  87. - ditto - successful: ANTI_DBS.EXE finds and restores infected
  88.                       programs (only for DBASE).
  89. Standard means......: Notice .COM file length.
  90.                       Typical text in virus body: "c:\bugs.dat",
  91.                         which is also created in the root directory.
  92. ------------------- Acknowledgement --------------------------------
  93.  
  94. Location............: Virus Test Center, University Hamburg, FRG
  95. Classification by...: Thomas Lippke
  96. Documentation by....: Thomas Lippke
  97. Date................: January 20, 1990
  98.  
  99.  
  100. ===================== End of "DBase"-Virus ===========================
  101.  
  102.  
  103.   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  104.   ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++
  105.   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  106.