informis/textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/virus/NCSA/ncsa134.txt
root@procul 278a90f7ce Initial commit
2021-04-15 13:31:59 -05:00

84 lines
4.1 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ VIRUS REPORT ³
³ Vacsina ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
Date of Origin: August, 1989.
Place of Origin: Sophia, Bulgaria.
Host Machine: PC compatibles.
Host Files: Remains resident. Infects COM, EXE, SYS, and BIN files.
OnScreen Symptoms: An infected file may beep when executed.
Increase in Size of Infected Files: 1206 bytes.
Nature of Damage: Affects system run-time operation. Corrupts program or
overlay files.
Detected by: Scanv56+, F-Prot.
Removed by: CleanUp, Scan/D/A, F-Prot, or delete infected files.
Synonym: TP04VIR virus.
Developed in Sophia, Bulgaria, and possibly first reported by
reported by Chris Fischer in Germany in August, 1989. Vacsina takes over
interrupt 21 and connects to COM and EXE files. Vacsina works on
PC/MS-DOS ver. 2.0 or higher. It infects COM files increasing them by
1206 to 1221 bytes (placing the virus code on a paragraph start). It
infects EXE files in two passes: After the first pass the EXE file is 132
bytes longer; after the second pass its size increases by an aditional
1206 to 1221 bytes. The virus installs a TSR in memory wich will infect
executable files upon loading them (INT 21 subfunction 4B00) using 8208
bytes of memory.
The only "function" found so far is an audible alarm or beep(BELL
character) whenever another file is successfully infected. This suggests
that this virus is a "draft", and more is to come.
Vacsina infects COM files that are bigger than 04B6h bytes and
smaller than F593h bytes and start with a JMP (E9h). Vacsina infects EXE
files if they are smaller than FDB3 bytes (no lower limit).
The virus is named<Note: by Torsten Boerstler, Christoph Fischer and
Rainer Stober of the Micro-BIT Virus Team, University of Karlsruhe, West
Germany.> "vacsina" because it opens a file named VACSINA. It doesn't
check the return status of the open call, and never touches the file
until the end of the virus code, where it closes the file (again ignoring
the return code). It is believed that vacsina is a prematurely-escaped
virus (or code built to detect viruses), and that the virus programmer
will add some code in a later version of the virus.
To detect the original virus, search for the word VACSINA (all
capitals).
ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º This document was adapted from the book "Computer Viruses", º
º which is copyright and distributed by the National Computer º
º Security Association. It contains information compiled from º
º many sources. To the best of our knowledge, all information º
º presented here is accurate. º
º º
º Please send any updates or corrections to the NCSA, Suite 309, º
º 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS º
º and upload the information: (202) 364-1304. Or call us voice at º
º (202) 364-8252. This version was produced May 22, 1990. º
º º
º The NCSA is a non-profit organization dedicated to improving º
º computer security. Membership in the association is just $45 per º
º year. Copies of the book "Computer Viruses", which provides º
º detailed information on over 145 viruses, can be obtained from º
º the NCSA. Member price: $44; non-member price: $55. º
º º
º The document is copyright (c) 1990 NCSA. º
º º
º This document may be distributed in any format, providing º
º this message is not removed or altered. º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ

Downloaded From P-80 International Information Systems 304-744-2253
Reference in New Issue View Git Blame Copy Permalink