FICHV 2.1 Virus (31-January-1992) Entry...............: FICHV 2.1 Virus Alias(es)...........: 903 Virus Virus Strain........: FICHV Virus Strain Virus detected when.: where.: Classification......: Program (COM) infector, memopry resident Length of Virus.....: 1. Length on media: 903 ($387) bytes; 2. Length in memory: 1,264 bytes. Length of Virus.....: --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS Version/Release.....: DOS 2 and upwards Computer model(s)...: IBM PC/AT & compatibles --------------------- Attributes ------------------------------------- Easy Identification.: Infected files are 903 bytes longer than clean COM files. The amount of free RAM is decreased by 1264 bytes. File time is set to 62 secons. In memory,the text "****FICHV 2.1 vous a eu**" can be found (693 Bytes below the Int 21 entry point). Signature...........: AC 32 07 AA 43 3B DA 72 03 BB Remark: this string is a pert of the virus' decryption routine, but is rather unique due to its programming error. Type of infection...: The virus appends the first 903 Bytes of an in- fected program to the end of the file, then overwriting the first 903 bytes. Infection Trigger...: Whenever an infected file is executed, the virus will go resident and thereby infect the first uninfected EXE-file (found via "Search First", "Search Next"), if the free disk space is >3,000 bytes and the file is longer than 1,500 bytes. When the virus is resident, whenever INT 21 "Execute" ($4B) or "Open a File" ($3D) is called, the virus will infect the first uninfected COM-file. Storage media affected: COM files on any disk/diskette. Interrupts hooked...: INT 21 (functions ah=$4B and ah=$3D). Damage..............: Virus will overwrite the first 6 sectors on both sides of each track, starting from track 0, with the text "****FICHV 2.1 vous a eu**". Damage Trigger......: Execution of an infected program during March (nay year). Particularities.....: Virus uses a simple self-encryption, which was possibly planned as a complex decryption, but due to a programming error operates only in a simple manner (XOR). It always uses standard INT 21 functions (including "Terminate/stay resident": ah=$31). Side effect #1: The virus does not check for a maximum length of the file to be infected, so the infected files might grow bigger than 65,535 bytes and then cannot be executed any longer. Side effect #2: Virus overrides memory at location 6000:0; therefore, conflicts (crash) with other TSR's are possible. Similarities........: FICHV 2.0, FEXE virus --------------------- Agents ----------------------------------------- Countermeasures.....: F-Prot v 2.02 recognizes the virus as "FICHV virus"; Scan v85 recognizes it as "903 virus". Countermeasures successful: Dito. Standard means......: Delete infected files. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Toralv Dirro Documentation by....: Toralv Dirro Date................: 31-January-1992 Information Source..: In-depth analysis of virus code .