home *** CD-ROM | disk | FTP | other *** search
/ ProfitPress Mega CDROM2 …eeware (MSDOS)(1992)(Eng) / ProfitPress-MegaCDROM2.B6I / UTILITY / VIRUS / PCV4RPT.ZIP / DEVILSD.RPT < prev    next >
Encoding:
Text File  |  1991-05-09  |  5.7 KB  |  122 lines
  1.  
  2.              *********************************************
  3.              ***   Reports collected and collated by   ***
  4.              ***            PC-Virus Index             ***
  5.              ***      with full acknowledgements       ***
  6.              ***            to the authors             ***
  7.              *********************************************
  8.  
  9.  
  10. == Computer Virus Catalog 1.2: "Devil's Dance" Virus (5-June-1990) ===
  11.  
  12. Entry...............: "Devil's Dance"
  13. Alias(es)...........: "Devil","941 Virus"
  14. Virus Strain........:
  15. Virus detected when.: Spring 1990
  16.               where.: Mexico City
  17. Classification......: .COM - file: extending, RAM-resident, link virus
  18. Length of Virus.....: .COM - Files: increased by 941 bytes
  19.  
  20. --------------------- Preconditions ----------------------------------
  21.  
  22. Operating System(s).: MS-DOS
  23. Version/Release.....: 2.xx upward
  24. Computer model(s)...: IBM - PC, XT, AT and compatibles
  25.  
  26. --------------------- Attributes -------------------------------------
  27.  
  28. Easy Identification.: Typical text in Virus body, readable with
  29.                       hexdump-utilities: "Drk", "*.com". If the high-
  30.                       bit of the displayed code is stripped, the mes-
  31.                       sage displayed at system reset time can be read.
  32.                       .COM files: the first three bytes (jmp) and
  33.                       the last three bytes are identical.
  34.                       The file date/time is set to the date/time of
  35.                       the infection (i.e. multiple infected files
  36.                       have the same file date/time).
  37.  
  38. Type of infection...: System virus: RAM-resident: infected if at the
  39.                       location 3 bytes before INT 21-adress the string
  40.                       "Drk" is found.
  41.                       .COM file: infected by hooking LOAD-function;
  42.                       adds 941 bytes to the end of the file.
  43.                       Only files with extension .COM will be infected.
  44.                       A file will be infected more than once.
  45.                       At first execution of the virus, all .COM files
  46.                       in the current directory will be infected.
  47.                       .EXE File: no infection.
  48.  
  49. Infection Trigger...: .COM file will be infected, when function 4B00H
  50.                       (LOAD/EXEC) of INT 21H is called.
  51.  
  52. Interrupts hooked...: INT 21H (functions 4B00H and 49H).
  53.                       INT 09H only for damage.
  54.  
  55. Damage..............: Permanent Damage:
  56.                       1. Every .COM file executed in an infected
  57.                          system will be infected.
  58.                       2. After pressing 2,500 keys and reset=
  59.                          <CTRL>+<ALT>+<DEL>, the first sector of
  60.                          the hardisk C: will be overwritten.
  61.                       Transient Damage:
  62.                       1. All characters typed will be displayed in a
  63.                          different color on a color card.
  64.                       2. If reset=<CTRL>+<ALT>+<DEL> is pressed, the
  65.                          following message is displayed:
  66.                          "Have you ever danced with"
  67.                          "the devil under the weak light of the moon?"
  68.                          "Pray for your disk!  The_Joker..."
  69.                          "Ha Ha Ha Ha Ha Ha Ha Ha Ha Ha".
  70.  
  71. Damage Trigger......: Keyboard input (characters typed) and
  72.                         reset=<CTRL>+<ALT>+<DEL>
  73.  
  74. Particularities.....: - The message "Have you ... Ha Ha"  is
  75.                         encrypted.
  76.                       - All files with .COM extension will be
  77.                         infected
  78.                         (i.e also exe-files with .COM extension).
  79.                       - .COM files with exe-header-id "MZ" will not
  80.                          run after infection.
  81.                       - Virus does not use a self-identification on
  82.                         .COM files; files will be infected many times.
  83.                       - In case of multiple infections of .COM files,
  84.                         system is slowed down on first execution of
  85.                         the virus in a clean system; if, e.g., a file
  86.                         has been infected 10 times, then it will try
  87.                         to infect any accessible .COM file 10 times.
  88.                       - All file attributes are cleared/not restored.
  89.                       - Multiple files have the same date/time.
  90.                       - Programs longer than 64,337 bytes are not exe-
  91.                         cuted correctly after infection.
  92.  
  93. -------------------- Agents ------------------------------------------
  94.  
  95. Countermeasures.....: Category 3: NTIDEVIL.EXE (VTC Hamburg)
  96.  
  97. - ditto - successful: NTIDEVIL.EXE finds and restores infected
  98.                       programs.
  99.  
  100. Standard means......: Notice .COM file length, file
  101.                       date/time/attribute.  Typical text in virus
  102.                       body:  "*.com", "Drk" .  Search for hex bytes:
  103.                       E4,E1,EE,E3,E5,E4,A0,F7,E8, F4,E8.Don't use
  104.                       <CTRL>+<ALT>+<DEL> if your screen has been
  105.                       colored; use power-off- or reset-switch to
  106.                       reboot your computer.
  107.  
  108. -------------------- Acknowledgement ---------------------------------
  109.  
  110. Location............: Virus Test Center, University Hamburg, FRG
  111. Classification by...: Stefan Tode
  112. Documentation by....: Stefan Tode
  113. Date................: 5-June-1990
  114.  
  115.  
  116. ==================== End of "Devil's Dance"-Virus ====================
  117.  
  118.  
  119.   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  120.   ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++
  121.   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  122.