textfiles/virus/NCSA/ncsa103.txt

                    <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ
                    <20>        VIRUS REPORT         <20>
                    <20>        Palette Virus        <20>
                    <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>

Synonyms: Zero Bug virus, 1536 virus

Date of Origin: September, 1989.

Place of Origin: The Netherlands

Host Machine: PC compatibles.

Host Files: COM files. Memory resident.

Increase in Size of Infected Files: 1536 bytes.

Detected by: Scanv38+, F-Prot.

Removed by: Scan/D, F-Prot, or delete the infected files.

Scan Code: EB 2B 90 5A 45 CD 60 2E C6 06 25 06 01 90 2E 80 3E 26 06 00 8D
3E 08 06 0E 07 75 5E 2E C6 06 26 06 05 90.

     This virus infects .COM files, causing them to grow by 1536 bytes,
but its main mission is to infect the copy of COMMAND.COM that is pointed
to by the environment variable COMSPEC. If COMSPEC does not point to
anything useful, the virus will install itself as a resident extension,
taking over INT 21h.

     From the moment the virus has infected COMMAND.COM or has installed
itself as a TSR, the virus will intercept DOS INT 21h, function calls 11h
(find first file), 12h (find next file), 57 (get/set file date & time),
3Eh (close file), 40h (write to file or device) and 3Ch (create file).

     All COM files that are accessed via function calls 3Ch, 3Eh and 40h
(by DOS itself or from any other program) will be infected by the virus.
This includes actions like COPY and XCOPY. Any COM file you create by
yourself via a compiler, linker, DEBUG or EXE2BIN will also be infected.

     The extra 1536 bytes in infected files will not show up when you
display a directory of your disk. The virus intercepts DOS function
calls Find First, Find Next and Get/Set file date & time. If a COM file
found by these DOS functions has been infected by the virus, the
information in the DTA (Disk Transfer Area) will be changed to show the
actual filesize minus 1536 bytes. DIR and most full-screen file
utilities (Like Norton and PCTOOLS) will be fooled by this trick. This
makes it very hard to detect the virus by simply checking the size of COM
files, because infected files will show up with their ORIGINAL size!

     If (and only if) the currently loaded COMMAND.COM is infected, the
virus will also hook the timer interrupt 1Ch. After a while a smiley face
(ASCII character 01) will move over your screen and "eat" all zeroes it
can find. Hence the name "Zero Bug" for this virus. The virus does not
format disks or erase files.

     The virus seems not to be spread very widely and may be rather new.


<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͻ
<EFBFBD>  This document was adapted from the book "Computer Viruses",       <20>
<EFBFBD>  which is copyright and distributed by the National Computer       <20>
<EFBFBD>  Security Association. It contains information compiled from       <20>
<EFBFBD>  many sources. To the best of our knowledge, all information       <20>
<EFBFBD>  presented here is accurate.                                       <20>
<EFBFBD>                                                                    <20>
<EFBFBD>  Please send any updates or corrections to the NCSA, Suite 309,    <20>
<EFBFBD>  4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS  <20>
<EFBFBD>  and upload the information: (202) 364-1304. Or call us voice at   <20>
<EFBFBD>  (202) 364-8252. This version was produced May 22, 1990.           <20>
<EFBFBD>                                                                    <20>
<EFBFBD>  The NCSA is a non-profit organization dedicated to improving      <20>
<EFBFBD>  computer security. Membership in the association is just $45 per  <20>
<EFBFBD>  year. Copies of the book "Computer Viruses", which provides       <20>
<EFBFBD>  detailed information on over 145 viruses, can be obtained from    <20>
<EFBFBD>  the NCSA. Member price: $44; non-member price: $55.               <20>
<EFBFBD>                                                                    <20>
<EFBFBD>            The document is copyright (c) 1990 NCSA.                <20>
<EFBFBD>                                                                    <20>
<EFBFBD>  This document may be distributed in any format, providing         <20>
<EFBFBD>  this message is not removed or altered.                           <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ͼ

Downloaded From P-80 International Information Systems 304-744-2253