Chinese_Fish Virus (31-July-1993) Entry...............: Chinese_Fish Virus Alias(es)...........: Fish Boot Virus Virus Strain........: --- Virus detected when.: Early 1992 where.: --- Classification......: Memory-resident System (MBR,FBR) infector. Length of Virus.....: 1.Length (Byte) on media: 1527 bytes (3 sectors) 2.Length (Byte) in memory: Does not reserve memory --------------------- Preconditions ------------------------------------ Operating System(s).: DOS Version/Release.....: Computer model(s)...: IBM PCs and compatibles --------------------- Attributes --------------------------------------- Easy Identification.: --- Type of infection...: Self-Identification in memory: --- Self-Identification on disk: BR[B3h] = 2015h System infection: MBR infected at bootup from infected floppy. Virus + ORG.MBR saved at sec 8-10, cyl 0, head 0. FBR infected when accessed from infected system. Virus + ORG.MBR saved at the following: 1.44 MB = sec 11-13, cyl 79, head 0 720 KB = sec 01-03, cyl 79, head 0 1.2 MB = sec 01-03, cyl 79, head 0 360 KB = sec 01-03, cyl 39, head 0 Infection Trigger...: Reading or writing HD or FD after booting from infected system or floppy. Storage media affected: HD and FD Interrupts hooked...: INT 13h Damage..............: Permanent Damage: On Harddisk: Sec 8-10, cyl 0, head 0 on HD is overwritten with virus code and ORG.MBR. This is usually non-fatal as these sectors are unused on most machines. On floppy: Sec Cyl Head 1.44 MB = 11-13, 79, 0 720 KB = 01-03, 79, 0 1.2 MB = 01-03, 79, 0 360 KB = 01-03, 39, 0 These sectors may be in use if floppy is nearly full. Recovery of overwritten sectors is almost impossible. Transient Damage: Since virus does not reserve any memory for itself, it can easily be over- written after or during startup of machine. If virus is overwritten, machine will crash on next INT 13h issued as virus INT 13h handler no longer exists. When trigger conditions hold, the following message will be displayed black on white in the upper right corner of the screen: "Hello! I am FISH, please don't kill me. Congratulate 80th year of the Republic Of China Building,Fish will help to kill stone Written by Fish in NTIT. TAIWAIN 80.10.18" Damage Trigger......: Permanent Damage: Reading/writing HD or FD after booting from infected system or floppy. Transient Damage: Text message displayed on every INT 13h issued the 1st, 11th, 21st and 31st of any month during 1992 (uses INT 1Ah). Particularities.....: 1) Leaves start of FBR alone, and plays by the rules, making it hard to detect with heuristic scanning. 2) Does not reserve the memory it uses. 3) Extensive checking for both itself and the Stoned.Michelangelo virus. Making it possible for Chinese_Fish to survive if both viruses infects the same media. Stoned.Michelangelo will always be overwritten by Chinese_Fish, so the virus works like an anti-Michelangelo program, spreading from machine to machine, eradicating Stoned.Michelangelo whereever it comes across it. 4) Redirects attempts to read or write sectors where rest of virus + ORG.MBR are stored, as well as the usual redirection of MBR requests. Similarities........: --- Stealth techniques..: HD: Gives sec 11, cyl 0, head 0 on read or write requests for sectors 8-10, cyl 0, head 0. And sec 10, cyl 0, head 0 on read or write requests for sec 1, cyl 0, head 0 (MBR). FD: Gives original FBR on requests for boot sector containing virus. --------------------- Agents ------------------------------------------- Countermeasures.....: F-PROT 2.07 can be used to detect/verify infection Standard means......: FDISK/MBR after booting from certified virus free system diskette will disinfect harddisk. --------------------- Acknowledgement ---------------------------------- Location............: The University of Trondheim The Norwegian Institute of Technology Faculty of Electrical Engineering and Computer Science Classification by...: Henrik Stroem, Stroem System Soft Documentation by....: Henrik Stroem, Stroem System Soft Date................: 17-April-1993 Information Source..: Reverse-Engineering of virus code .