"4096" Virus (5-June-1990)
Entry...............: "4096" virus
Alias(es)...........: "100 years" Virus = IDF Virus = Stealth Virus.
Virus Strain........: ---
Virus detected when.: October 1989.
              where.: Haifa, Israel.
Classification......: Program Virus (extending), RAM-resident.
Length of Virus.....: .COM files: length increased by 4096 bytes.
                      .EXE files: length increased by 4096 bytes.
--------------------- Preconditions -----------------------------------
Operating System(s).: MS-DOS
Version/Release.....: 2.xx upward
Computer model(s)...: IBM-PC, XT, AT and compatibles
--------------------- Attributes --------------------------------------
Easy Identification.: ---
Type of infection...: System: Allocates a memory block at high end of
                              memory. Finds original address (inside 
                              DOS) of Int 21h handler. Finds original
                              address (inside BIOS) of Int 13h handler, 
                              therefore bypasses all active monitors.
                              Inserts a JMP FAR to virus code inside 
                              original DOS handler.
                      .COM files: program length increased by 4096
                      .EXE files: program length increased by 4096
Infection Trigger...: Programs are infected at load time (using the
                      function Load/Execute of MS-DOS), and whenever 
                      a file Access is done to a file with the exten-
                      sion of .COM or .EXE, (Open file AH=3D, 
                      Create file AH=3C, File attrib AH=43, 
                      File time/date AH=57, etc.)
Interrupts hooked...: INT21h, through a JMP FAR to virus code inside 
                              DOS handler;
                      INT01h, during virus installation & execution 
                              of DOS's load/execute function (AH=4B);
                      INT13h, INT24h during infection.
Damage..............: The computer usually hangs up.
Damage Trigger......: A Get Dos Version call when the date is after the 
                      22th of September and before 1/1 of next year.
Particularities.....: Infected files have their year set to (year+100)
                      of the un-infected file.
                      If the system is infected, the virus redirects 
                      all file accesses so that the virus itself can
                      not be read from the file. Also, find first/next 
                      function returns are tampered so that files 
                      with (year>100) are reduced by 4096 bytes in size.
--------------------- Agents ------------------------------------------
Countermeasures.....: Cannot be detected while in memory, so no 
                      monitor/file change detector can help.
Countermeasures successful:
                      1) A Do-it-yourself way: Infect system by running 
                         an infected file, ARC/ZIP/LHARC/ZOO all in-
                         fected .COM and .EXE files, boot from unin-
                         fected floppy, and UNARC/UNZIP/LHARC E etc. 
                         all files. Pay special attention to disin-
                         fection of COMMAND.COM.
                      2) The JIV AntiVirus Package (by the author of 
                         this contribution)
                      3) F. Skulason's F-PROT package.
Standard means......: ---
--------------------- Acknowledgement ---------------------------------
Location............: Weizmann Institute, Israel.
Classification by...: Ori Berger
Documentation by....: Ori Berger
Date................: 26-February-1990

.