FICHV 2.0 Virus (31-January-1992) Entry...............: FICHV 2.0 Virus Alias(es)...........: --- Virus Strain........: FICHV Virus Strain Virus detected when.: where.: Classification......: Program (COM) infector, memopry resident Length of Virus.....: 1. Length on media: 896 ($380) bytes; 2. Length in memory: 1,248 bytes. --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS Version/Release.....: DOS 2 and upwards Computer model(s)...: IBM PC/AT & compatibles --------------------- Attributes ------------------------------------- Easy Identification.: Infected files are 896 bytes longer than clean COM files. The amount of free RAM is decreased by 1248 bytes. File time is set to 62 seconds. In memory,the text "****FICHV 2.0 vous a eu**" can be found (690 Bytes below Int 21 entry point). Signature...........: AC 32 07 AA 43 3B DA 72 03 BB Remark: this string is a pert of the virus' decryption routine, but is rather unique due to its programming error. Type of infection...: The virus appends the first 896 bytes of an in- fected program to the end of the COM file, then overwriting the first 896 bytes. Infection Trigger...: Whenever an infected file is executed, the virus will go resident and thereby infect the first uninfected EXE-file (found via "Search First", "Search Next"), if the free disk space is >3,000 bytes and the file is longer than 1,500 bytes. When the virus is resident, whenever INT 21 "Execute" ($4B) is called, the virus will infect the first uninfected COM-file. Storage media affected: COM files on any disk/diskette Interrupts hooked...: INT 21 (function ah=$4B). Damage..............: Virus will overwrite the first 6 sectors on both sides of each track, starting from track 0, with the text "****FICHV 2.0 vous a eu**". Damage Trigger......: Execution of an infected program during March (any year). Particularities.....: Virus uses a simple self-encryption, which was possibly planned as a complex decryption, but due to a programming error operates only in a simple manner (XOR). It always uses standard INT 21 functions (including "Terminate/stay resident": ah=$31). Side effect #1: The virus does not check if the file to be infected is smaller than 64,640 bytes; therefore, an infected COM file may grow larger than 65,535 bytes and then cannot be executed any longer. Side effect #2: Virus overrides memory at location 6000:0; therefore, conflicts (crash) with other TSR's are possible. Similarities........: FICHV 2.1, FEXE virus --------------------- Agents ----------------------------------------- Countermeasures.....: F-Prot 2.02 suspects that virus be a new variant of the FICHV-Virus. Countermeasures successful: None at classification time. Standard means......: Delete infected files. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Toralv Dirro Documentation by....: Toralv Dirro Date................: 31-January-1992 Information Source..: In-depth analysis of virus code .