home *** CD-ROM | disk | FTP | other *** search
-
- *********************************************
- *** Reports collected and collated by ***
- *** PC-Virus Index ***
- *** with full acknowledgements ***
- *** to the authors ***
- *********************************************
-
-
- ===== Computer Virus Catalog 1.2: "Perfume" Virus (20-July-1990) =====
- Entry................. "Perfume" Virus
- Alias(e).............. = "4711" = "765" Virus
- Strain................ ---
- Detected: when........ ---
- where....... ---
- Classification........ Program virus, resident COM infector
- Length of virus....... 765 bytes added to COM files
-
- ----------------------- Preconditions --------------------------------
-
- Operating System(s)... MS-DOS
- Version/Release....... 2.0 and up
- Computer models....... Any IBM-compatibles
-
- ------------------------Attributes -----------------------------------
-
- Easy identification... Contains in one version the following strings:
- "G-VIRUS V2.0",0Ah,0Dh,
- "Bitte gebe den G-Virus Code ein : $" <CRLF>
- 0Ah,0Dh,"Tut mir Leid !",0Ah,0Dh,"$";
- (trans- lated 2nd and 3rd strings: "please
- input G-virus code"; "sorry"); in another
- version there is a block of 88(dec) bytes
- that contain 00h.
-
- Type of infection..... The virus makes itself resident and intercepts
- INT 21 upon subfunction 4Bh (load+execute);
- virus TSR tries to infect the loaded file
- by appending itself to it. Infectable files
- have extension COM and are less than FC00h
- (64512d) bytes long.
-
- Infection trigger..... Loading of a file triggers infection mechanism.
-
- Interrupts hooked..... INT 21
-
- Damage................ A password is demanded after an infected file
- has been invoked more than 80 times. Initial
- message is the first string given above. If
- the given password is not "4711" (name of a
- well known German perfume), the virus will
- display the second message and terminate the
- program. In the hacked version of the virus,
- all messages have been zeroed out including
- the termination characters ("$") which
- causes the virus to output its code as text
- till the first $-character. Also the input
- buffer size for the password iterrogation
- has been zeroed which causes unpredictable
- results upon entry of too many characters.
-
- Particularities....... Under a rare circumstance, the virus can
- produce a variant of itself which won't be
- able to identify itself and thus will infect
- a file more than once; this is one of
- several bugs in the virus.
-
- ----------------------- Acknowledgement ------------------------------
-
- Location.............. Micro-BIT Virus Center RZ Universitaet
- Karlsruhe
-
- Classification by..... Christoph Fischer
- Dokumentation by ..... Christoph Fischer
- Date.................. 14-April-1990
-
- ====================== End of "Perfume" Virus ========================
-
-
- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++
- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
- �
