"512" Virus (5-June-1990) Entry...............: "512" Virus Alias(es)...........: --- Virus Strain........: --- Virus detected when.: January 1990 where.: Bulgaria Classification......: COM overwriting/extending/resident. Length of Virus.....: 512 bytes --------------------- Preconditions ----------------------------------- Operating System(s).: PC/MS-DOS Version/Release.....: Computer model(s)...: IBM PC/XT/AT/PS and compatibles --------------------- Attributes -------------------------------------- Easy Identification.: "666" at offset 509. Type of infection...: Executable file infection: Overwriting/extending; resident; first 512 bytes placed at free space on last cluster of file, and replaced with the virus code. System infection: RAM-Resident, uses disk buffer space for code in order not to take-up memory. Infection Trigger...: Any close file (INT 21, Service 3e) or Execute (INT 21, Service 4b) on a .COM file. Storage media affected: Any Drive Interrupts hooked...: Int 21 DOS-services Int 13 and Int 24 while infecting. Damage..............: --- Damage Trigger......: --- Particularities.....: If virus is in memory, files are read as unin- fected. Directory never shows size increase, even if the virus is not in memory. Under DOS 3.3, software write protections are bypassed. Similarities........: --- --------------------- Agents ------------------------------------------ Countermeasures.....: Monitoring the INT 21 vector. Countermeasures successful: --- Standard means......: A Do-it-yourself way: Infect system by running an infected file, ARC/ZIP/LHARC/ZOO all infected COM and EXE files, boot from uninfected floppy, and UNARC/UNZIP/LHARC E etc. all files. Pay special attention to disinfection of COMMAND.COM. --------------------- Acknowledgement --------------------------------- Location............: Weizmann Institute Of Science, Rehovot, Israel Classification by...: Ori Berger Documentation by....: Yuval Tal (NYYUVAL@WEIZMANN.BITNET), Ori Berger Date................: 6-March-1990 Information Source..: --- .