"Fumanchu-Virus" (15-Feb-1990)
Entry...............: "Fumanchu- Virus"
Alias(es)...........:
Virus Strain........: Jerusalem-Virus Strain
Virus detected when.:
              where.:
Classification......: Program-virus (extending), RAM- resident
Length of Virus.....: .COM files: program length increases by
                                  2086 bytes
                      .EXE files: program length increases by
                                  2080 - 2095 bytes
--------------------- Preconditions ----------------------------------
Operating System(s).: MS-DOS
Version/Release.....: 2.xx upward
Computer model(s)...: IBM-PC, XT, AT and compatibles
--------------------- Attributes -------------------------------------
Easy Identification.: Typical texts in Virus body (readable with
                         HexDump-facilities):
                         1. "sAXrEMHOr" and "COMMAND.COM" in the 
                            data area of the virus and
                         2. "rEMHOr" are the last 6 bytes if the 
                            infected program is a .COM file.
Type of infection...: System: infected if function E1h of INT 21h
                         returns the value 0400h in the AX - register.
                      .COM files: program length increases by 2086
                         bytes if it is infected and the last 6 bytes
                         are "rEMHOr" (identification); a .COM file
                         will not be infected more than once.
                      .EXE files: program length increases by 2080
                         - 2095 bytes; if it is infected, the word
                         checksum in the EXE-header is "1988"; an
                         EXE file will not be infected more than once.
Infection Trigger...: Programs are infected when loaded (using the
                         function Load/Execute of Ms-Dos)
Interrupts hooked...: INT08h, INT09, INT16, INT21 (INT24 only while
                         infecting a file).
Damage..............: Transient Damage:
                      1. The message 'The world will hear from me 
                         again!  ' is displayed on every warmboot.
                      2. The virus watches the keyboard input and 
                         appends slanders about politicians in the 
                         keyboard buffer.
Damage Trigger......: Every time the system is infected.
                      Damage 1: always
                      Damage 2: from august 89
Particularities.....: 1. .COM files larger than 63193 bytes are no 
                              longer loadable after infection.
                      2. .COM files larger than 63449 bytes are 
                              destroyed by overwriting.
                      3. Three functions used by Novell- Netware 4.0 
                              cannot be used.
                      4. The virus code contains a routine that will 
                              automaticly reboot the system between 
                              1 and 16 hours. This code is never 
                              activated due to a programming mistake.
                      5. All strings are encrypted.
--------------------- Agents -----------------------------------------
Countermeasures.....: Category 3: ANTIFUMN.EXE (VTC Hamburg)
Countermeasures successful: ANTIFUMN.EXE is an antivirus that only 
                              looks for the Fumanchu Virus and, if 
                              requested, will restore the file.
Standard means......: Filelength increased if a program is infected.
--------------------- Acknowledgement --------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Michael Reinschmiedt
Documentation by....: Michael Reinschmiedt
                      Morton Swimmer
Date................: December 15,1989

.