"Vienna 348 Virus" (28-June-1990)
Entry...............: "Vienna 348" Virus
Alias(es)...........: ---
Virus strain........: Vienna Virus strain
Virus detected when.: ---
              where.: ---
Classification......: Program virus (extending), direct action
Length of virus.....: 348 bytes
--------------------- Preconditions ----------------------------------
Operating system(s).: MS-DOS
Version/release.....: 2.0 and higher
Computer model(s)...: All MS-DOS machines
--------------------- Attributes -------------------------------------
Easy identification.: Bytes found in virus = EAh,06h,00h,00h,C8h;
                           text found: "*.COM",00h,"PATH=".
Type of infection...: Self-Identification: The time stamp
                           of an infected file is changed:
                           the seconds are set to 62 (= 2 * 1Fh).
                           When infected file is executed, .COM-files
                           in the current directory as well as in the
                           directories in the DOS-PATH are extended
                           by appending the viral code; no infection
                           if the filesize<10 or filesize>64000 bytes.
Infection trigger...: A selected .COM-file is infected by "random" IF
                           (system seconds AND 7) <> 0 ELSE damaged!
Storage media affected: Current media and media accessed via DOS-PATH.
Interrupts hooked...: INT 24h diverted to own error-handler only
                           during virus-runtime to suppress
                           error-messages send out by DOS.
Damage..............: A selected .COM-file is damaged permanently:
                           Overwriting the first five bytes
                           with a far jump to the HD-low-level-format-
                           routine (XT only).
Damage trigger......: IF (system seconds AND 7) = 0, ELSE infection!
Particularities.....: The virus ignores READ-ONLY and HIDDEN attributes;
                           The PATH-search is corrected!
Similarities........: Dissimilarities to Vienna (648 bytes):
                           Code optimized and length decreased;
                           the five damage-bytes are changed.
--------------------- Agents -----------------------------------------
Countermeasures.....: ---
Countermeasures successful: ---
Standard means......: Do not execute .COM files with time stamp seconds
                           equal 62; restore them from a backup-disk.
--------------------- Acknowledgement --------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Uwe Ellermann, Daniel Loeffler
Documentation by....: Daniel Loeffler, Uwe Ellermann
Date................: June 28, 1990
Information Source..: ---

.