Exe_Bug.Hooker Virus (20-Feb-1993) Entry...............: Exe_Bug.Hooker Virus Alias(es)...........: --- Virus Strain........: Exe_Bug Virus Strain Virus detected when.: where.: South Africa (there common in January 1993) Classification......: Memory-resident System (MBR,FBR) infector, stealth, tunnelling. Length of Virus.....: 1.Length (Byte) on media: 1 sector 2.Length (Byte) in memory: 1 kByte --------------------- Preconditions ------------------------------------ Operating System(s).: MS-DOS Version/Release.....: Computer model(s)...: IBM PCs and compatibles --------------------- Attributes --------------------------------------- Easy Identification.: --- Type of infection...: Self-Identification in memory: --- Self-Identification on disk: MBR[60h..61h]=BAh 80h System infection: MBR/FBR infector; stores original boot sector at location At 0/0/17 (HD) or at LAST_R (FD) Infection Trigger...: At bootup from an infected floppy (hard); during INT 13h/AH=02 (floppy) Storage media affected: HD/FD Interrupts hooked...: INT 13h/02, INT 13h/03 (stealth mechanism) Damage..............: Permanent Damage: Sectors on hard drive converted to disc-trashing trojan. Transient Damage: --- Damage Trigger......: Permanent Damage: INT13h/write AND buffer[0..1]="MZ" AND CL=counter Transient Damage: --- Particularities.....: Can't format floppies. Virus contains encrypted text "HOOKER" (NOT displayed as message). When the Trojan (48 bytes long) is written to disk, string "HOOKER" is appended to it. Similarities........: Exe-Bug.A Virus --------------------- Agents ------------------------------------------- Countermeasures.....: Countermeasures successful: Standard means......: --------------------- Acknowledgement ---------------------------------- Location............: Classification by...: Paul Ducklin Documentation by....: Paul Ducklin (CARObase) Klaus Brunnstein (conversion to CVC format) Date................: 1993-February-15 Information Source..: Reverse-Engineering fo virus code .