home *** CD-ROM | disk | FTP | other *** search
/ ProfitPress Mega CDROM2 …eeware (MSDOS)(1992)(Eng) / ProfitPress-MegaCDROM2.B6I / UTILITY / VIRUS / PCV4RPT.ZIP / GHOST.RPT < prev    next >
Encoding:
Text File  |  1991-05-09  |  3.8 KB  |  109 lines
  1.  
  2.              *********************************************
  3.              ***   Reports collected and collated by   ***
  4.              ***            PC-Virus Index             ***
  5.              ***      with full acknowledgements       ***
  6.              ***            to the authors             ***
  7.              *********************************************
  8.  
  9.  
  10. ==== Computer Virus Catalog 1.2: "GhostBalls" Virus (Nov 2, 1989) ====
  11.  
  12. Entry...............: "GhostBalls"
  13. Alias(es)...........: Ghost
  14. Virus Strain........: Vienna (Dos-62)
  15. Virus detected when.: Oct. '89
  16.               where.: Iceland
  17. Classification......: .COM file infecting virus/ Extending/ Direct/
  18.                       Non-Resident
  19.  
  20. Length of Virus.....: 2351 bytes added to file
  21.  
  22. -------------------- Preconditions --------------------------------
  23.  
  24. Operating System(s).: MS-DOS
  25. Version/Release.....: 2.0 or higher
  26. Computer model(s)...: IBM PC,XT,AT and compatibles
  27.  
  28. -------------------- Attributes ----------------------------------
  29.  
  30. Easy Identification.: .COM files: "seconds" field of the timestamp
  31.                       changed to 62, as in the original Vienna virus.
  32.                       Infected files end in a block of 512 zero bytes.
  33.  
  34. Type of infection...: Extends .COM files. Adds 2531 bytes to the end
  35.                       of the file and places a JMP instruction at the
  36.                       beginning.
  37.  
  38.                       When an infected program is run, it will search
  39.                       for a program to infect, and also try to place a
  40.                       modified copy of the Ping-Pong virus on the boot
  41.                       sector in drive A.
  42.  
  43.                       The virus will remove the Read-Only attribute
  44.                       from programs in order to infect them.  It is
  45.                       replaced afterwards.
  46.  
  47. Infection Trigger...: One .COM file in the current directory with the
  48.                       "seconds" field not equal to 62 will be infected
  49.                       each time an infected program is run.
  50.  
  51. Storage media affected: Boot sectors on diskettes.
  52.  
  53. Interrupts hooked...:
  54.  
  55. Damage..............: .COM files and boot sectors modified. No
  56.                       permanent damage.
  57.  
  58. Damage Trigger......:
  59.  
  60. Particularities.....: The destruction of 1 program in 8 in the
  61.                       original Vienna virus has been disabled.  The
  62.                       Ping-Pong copy placed on drive A:  has been
  63.                       modified in two ways:  It will work on a '286
  64.                       machine but has been patched so it will not
  65.                       infect other diskettes.  Virus contains the text
  66.                       string:
  67.  
  68.                                 "GhostBalls, Product of Iceland"
  69.  
  70. Similarities........:
  71.  
  72.  
  73. --------------------- Agents ----------------------------------------
  74.  
  75. Countermeasures.....: Any program that identifies the Vienna virus by
  76.                       using signatures should be able to find infected
  77.                       files.  VIRSCAN (46) will identify infected
  78.                       files.  F-FCHK (by the author of this article)
  79.                       will identify infected files and remove the
  80.                       infection.
  81.  
  82. Countermeasures successful:
  83.  
  84. Standard means......:
  85.  
  86. -------------------- Acknowledgement ----------------------------
  87.  
  88. Location............: University of Iceland/Computing Services
  89. Classification by...: Fridrik Skulason  (frisk@rhi.hi.is)
  90. Documentation by....: Fridrik Skulason
  91. Date................: November 2, 1989
  92. Information Source..:
  93.  
  94.  
  95. ======================= End of GhostBalls =========================
  96.  
  97.  
  98.   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  99.   ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++
  100.   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  101.  
  102.  
  103.  
  104.  
  105.  
  106.  
  107.  
  108.  
  109.