68 lines
3.3 KiB
Plaintext
68 lines
3.3 KiB
Plaintext
Virus Name: XYZ
|
|
Aliases: X-AMINE YOUR ZIPPER
|
|
V Status: New, Research Viron
|
|
Discovery: January, 1994
|
|
Symptoms: None - Pure Stealth
|
|
Origin: USA
|
|
Eff Length: 440 Bytes
|
|
Type Code: OReE - Extended HMA Memory Resident Overwriting .EXE Infector
|
|
Detection Method: None
|
|
Removal Instructions: See Below
|
|
|
|
General Comments:
|
|
|
|
The XYZ virus is a HMA memory resident overwriting direct action
|
|
infector. The virus is a pure 100% stealth virus with no detectable
|
|
symptoms. No file length increase; overwritten .EXE files execute
|
|
properly; no interrupts are directly hooked; no change in file date or
|
|
time; no change in file attributes; no change in available memory;
|
|
INT 12 is not moved; no cross linked files from CHKDSK; when resident
|
|
the virus cleans programs on the fly; works with all 80?86 processors;
|
|
VSAFE.COM does not detect any changes; Thunder Byte's Heuristic virus
|
|
detection does not detect the virus; Windows 3.1's built in warning
|
|
about a possible virus does not detect XYZ.
|
|
|
|
The XYZ virus will only load if DOS=HIGH in the CONFIG.SYS file. The
|
|
first time an infected .EXE file is executed, the virus goes memory
|
|
resident in the HMA (High Memory Area). The hooking of INT 13 is
|
|
accomplished using a tunnelling technique, so memory mapping utilities
|
|
will not map it to the virus in memory. It then reloads the infected
|
|
.EXE file, cleans it on the fly, then executes it. After the program
|
|
has been executed, XYZ will attempt to infect 15 .EXE files in the
|
|
current directory.
|
|
|
|
If the XYZ virus is unable to install in the HMA or clean the infected
|
|
.EXE on the fly, the virus will reopen the infected .EXE file, remove
|
|
itself, and then write the cleaned code back to the .EXE file. It
|
|
then reloads the clean .EXE file and executes it. The virus can not
|
|
clean itself on the fly if the disk is compressed with DBLSPACE or
|
|
STACKER, so it will clean the infected .EXE file and write it back.
|
|
It will also clean itself on an 8086 or 8088 processor.
|
|
|
|
It will infect an .EXE if it is executed, opened for any reason or
|
|
even copied. When an uninfected .EXE is copied, both the source and
|
|
destination .EXE file are infected.
|
|
|
|
The XYZ virus overwrites the .EXE header if it meets certain criteria.
|
|
The .EXE file must be less than 62K. The file does not have an
|
|
extended .EXE header. The file is not SETVER.EXE. The .EXE header
|
|
must be all zeros from offset 72 to offset 512; this is where the XYZ
|
|
virus writes it code. The XYZ virus then changes the .EXE header to
|
|
a .COM file. Files that are READONLY can also be infected.
|
|
|
|
The text string "XYZ" and "ZYX" appear in the virus code but are not
|
|
displayed.
|
|
|
|
The XYZ virus has a companion virus that it works with. The GOLD-BUG
|
|
virus also goes memory resident in the HMA and reserves space for the
|
|
XYZ virus.
|
|
|
|
To remove the virus from your system, change DOS=HIGH to DOS=LOW in
|
|
your CONFIG.SYS file. Reboot the system. Then run each .EXE file
|
|
less than 62k. The virus will remove itself from each .EXE program
|
|
when it is executed. Or, leave DOS=HIGH in you CONFIG.SYS; execute
|
|
an infected .EXE file, then use a tape backup unit to copy all your
|
|
files. The files on the tape have had the virus removed from them.
|
|
Change DOS=HIGH to DOS=LOW in your CONFIG.SYS file. Reboot the
|
|
system. Restore from tape all the files back to your system.
|