********************************************* *** Reports collected and collated by *** *** PC-Virus Index *** *** with full acknowledgements *** *** to the authors *** ********************************************* ====== Computer Virus Catalog 1.2: "dBase" Virus (15-Feb-1990) ======= Entry...............: "dBase" Virus Alias(es)...........: --- Virus Strain........: --- Virus detected when.: October 1989 where.: --- Classification......: Link - Virus (extending), RAM - resident Length of Virus.....: .COM - Files: Program length increases by 1864 bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS Version/Release.....: 2.xx upward Computer model(s)...: IBM - PC, XT, AT and compatibles --------------------- Attributes ------------------------------------ Easy Identification.: Typical text in Virus body (readable with HexDump-utilities): "c:\bugs.dat" Type of infection...: System: RAM-resident, infected if function FB0AH of INT 21H returns with 0AFBH in AX register. .COM file: extended by using EXEC-function. A file will only be infected once. .EXE File: no infection. Infection Trigger...: When function 4B00H of INT 21H (EXEC) is called. Interrupts hooked...: INT 21H Damage..............: Permanent Damage: 1. Every time a .DBF file is created in an infected system with function 3CH, 5BH or 6CH of INT 21H, the complete filename of the new .DBF file will be inserted in the hidden file "c:\bugs.dat". 2. On every write operation to a file registered in "bugs.dat", all neighboring bytes will be interchanged (e.g.: "01 02 03 04" changed to "02 01 04 03"). 3. On every read operation from a file regis- tered in "bugs.dat", the bytes will be interchanged again, so that no modifi- cation is visible. 4. If the filename of the .DBF file is modified, so that it does not correspond to the filename registered in "bugs.dat", or read/write operations happen in a non- infected system, the bytes will no longer be modified by the virus and they appear defective. Transient Damage: Every time a new .DBF file is created, the virus examines the age of "bugs.dat". If the difference between the month of creation and the current month is greater than 2, the computer will hang in an end- less loop. Particularities.....: - In case of a program error in the virus, single bytes in the .DBF file could be over- written incorrectly by write operations! - Programs longer than 63415 bytes are no longer loadable. Special remark......: The original virus contains code which erases (INT 21) the infected DBF file structure after a certain time; Ross Greenberg who detec- ted this virus patched the essential instruc- tion with INT 03 such that the destructive part does no longer work; the rest of the code was not changed. Unfortunately, the changed code escaped one virus expert's computer. ------------------ Agents ------------------------------------------- Countermeasures.....: Category 3: ANTI_DBS.EXE (VTC Hamburg) - ditto - successful: ANTI_DBS.EXE finds and restores infected programs (only for DBASE). Standard means......: Notice .COM file length. Typical text in virus body: "c:\bugs.dat", which is also created in the root directory. ------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Thomas Lippke Documentation by....: Thomas Lippke Date................: January 20, 1990 ===================== End of "DBase"-Virus =========================== ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++