FEXE Virus (31-January-1992)
Entry...............: FEXE = FEXE 1.0 Virus
Alias(es)...........: ---
Virus Strain........: FICHV Virus Strain
Virus detected when.: 
              where.: 
Classification......: Program (EXE) infector, memory resident
Length of Virus.....: 1. Length on media:    897 ($381) bytes;
                      2. Length in memory: 2,288 bytes.
--------------------- Preconditions -----------------------------------
Operating System(s).: MS-DOS
Version/Release.....: DOS 2 and upwards
Computer model(s)...: IBM PC/AT & compatibles
--------------------- Attributes --------------------------------------
Easy Identification.: Infected files are 897 bytes longer than clean
                         EXE files. Free memory space was decreased
                         by 2288 bytes. File time is set to 62 seconds.
                         In memory, the text "** FEXE 1.0 vous a eu **"
                         can be found (28 bytes below Int_21 entrypoint)
Signature...........: AC 32 07 AA 43 3B DA 72 03 BB
                      Remark: this string is a pert of the virus'
                         decryption routine, but is rather unique due
                         to its programming error.
Type of infection...: The virus appends itself to the end of an EXE
                         file and changes the EXE-header. 
Infection Trigger...: Whenever an infected file is executed, the virus
                         will go resident and thereby infect the first
                         uninfected EXE-file (found via "Search First",
                         "Search Next"). Upon any "Execute" or "Open 
                         file" operation (INT 21, ah=$4B/$3D), virus 
                         will infect the first uninfected EXE-file in
                         the same manner.
Storage media affected: EXE files on any disk/diskette 
Interrupts hooked...: INT 21 (functions ah=$4B, ah=$3D)
Damage..............: Virus will overwrite the first 6 sectors on both
                         sides of each track, starting from track 0, 
                         with the text "** FEXE 1.0 vous a eu **".
Damage Trigger......: Activating an infected file during April (any
                         year).
Particularities.....: Virus uses a simple self-encryption, which was
                         possibly planned as a complex decryption, 
                         but due to a programming error operates only
                         in a simple manner (XOR). It always uses 
                         standard INT 21 functions (including 
                         "Terminate/stay resident": ah=$31).
Similarities........: FICHV viruses (which infect COM files only).
--------------------- Agents -----------------------------------------
Countermeasures.....: No countermeasures known.
Countermeasures successful: Dito. (Tested antivirus do not detect it)
Standard means......: Delete infected EXE files & install clean ones.
--------------------- Acknowledgement --------------------------------
Location............: Virus Test Center, University Hamburg, Germany 
Classification by...: Toralv Dirro
Documentation by....: Toralv Dirro
Date................: 31-January-1992
Information Source..: In-depth analysis of virus code

.