Selected viruses, spyware, and other threats: sorted alphabetically
This 4096 bytes long virus is a very complex stealth COM and EXE infector. After an infected file is started the virus tunnels the interrupt INT 21h vector to gain its original address. After installation into memory it moves to its top overwriting the resident copy COMMAND.COM. This will cause its new introduction while the virus attacks COMMAND.COM. The virus marks the memory block in which it is resident as one belonging to DOS. The virus uses stealth technology and that is why the infected file looks like an uninfected one. The virus has a very odd way of finding out whether a file, which it intends to attack, is executable – it implements a check sum of the file extension. But this activity causes that the virus can attack also files with different extensions (e.g. *.MEM, *.BMP, *.LOG, *.TBL, *. PIF). If the virus successfully attacks a file it would mark it so that it increases the year of origin by 100 and sets seconds to a nonsensical value of 62. Stealth of the virus is almost perfect but when the program CHKDSK is used and the virus is present in memory, the CHKDSK program will detect a disagreement between the number of memory blocks allocated for the infected file and its length. The virus reinstalls the original length of the file as well as the original time and date of origin. When the file is opened the virus disinfects it, and when the file is closed, the virus attacks it again. At certain circumstances this mechanism can be used also for cleaning the infected files. After September 22 the virus writes a code into hard disc MBR. This code should display the following text on the monitor:
FRODO LIVES !
The text should be surrounded by moving rectangles. But there is something wrong with this code and the message never appears. For those who might not know, Frodo is a character from books by J.R.R. Tolkien (Lord of the Rings).
© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.