********************************************* *** Reports collected and collated by *** *** PC-Virus Index *** *** with full acknowledgements *** *** to the authors *** ********************************************* ALABAMA VIRUS ============= Extract form Virus-L 2:214 Date: Thu, 05 Oct 89 14:33:43 +0200 From: Y. Radai, Hebrew University of Jerusalem Two new viruses have been discovered in Israel. One of them is called the Alabama virus (The other, reported separately, was 4K). It infects EXE files and increases their size by 1560 bytes. Unlike many other resident viruses, it does not use Int 21h function 31h to stay resident. It loads itself 30K under the highest memory location reported by DOS, but (unlike MIX1) it does not lower the amount of memory reported by BIOS or DOS. It hooks Int 9 and checks for Ctrl-Alt-Del. (It uses IN and OUT commands to confuse anti-virus people.) When it identifies this com- bination it causes an apparent boot but remains in RAM. After 1 hour of operation (the virus checks the time on each Int 9 or Int 21 call), the following flashing boxed message appears: SOFTWARE COPIES PROHIBITED BY INTERNATIONAL LAW.............. Box 1055 Tuscambia ALABAMA USA. This virus does not necessarily infect the file which is currently being executed. First it looks for an uninfected file in the current directory, and if it finds one it infects it. Only if it does not find one does it infect the executed file. But sometimes, when it finds an uninfected file, instead of infect- ing it, it will *exchange* it with the currently executed file without renaming it, so that the user will think that he is executing one pro- gram while he is actually executing another one! My thanks to Eli Shapira for this info. Y. Radai Hebrew Univ. of Jerusalem ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++