Warlock Virus (31-July-1993) Entry...............: Warlock Virus Alias(es)...........: --- Virus Strain........: --- Virus detected when.: April 1993 where.: Kazakhstan Classification......: File Virus (COM,EXE,OVL;DBF infector), memory resident, partly (messages) encrypted Length of Virus.....: 1.Length (Byte) on media: 1a. EXE files: 1817 (+16) Bytes 1b. COM files: 1817 (+16)+4 Bytes 2.Length (Byte) in RAM: 3648 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: MS-DOS/PC-DOS Version/Release.....: MS-DOS/PC-DOS >= 2.0 Computer model(s)...: IBM PCs and Compatibles --------------------- Attributes --------------------------------------- Easy Identification.: --- (File[EOF-4] == 0B0Dh (0Dh, 0Bh)) Type of infection...: File infection: infects COM and EXE files by appending it's code (adapting to 16 bytes adress boundary); for COM files, virus adds extra 4 bytes after appending itself. Damages OVL and DBF files (though not infecting them). Self-Identification in file: checks bytes before EOF: File[EOF-4] == 0B0Dh (0Dh, 0Bh) System infection: upon starting an infected file, virus makes itself memory resident in memory (using TWIXT method). Self-Identification in memory: tests INT 21 register for given value. Additional check is made by a resident virus: it compares a piece of it's code to that of the caller (with bug). Infection Trigger...: Infection occurs if the following condition holds: Exec OR (Open OR Rename OR ChMod) AND FileExt IN [.EXE, .COM, .OVL, .DBF]) AND (FileName != "COMMAND.COM") AND (LengthCOM > 1024) AND (LengthCOM < 62687) AND (LengthEXE <= EXE_Image_Size (i.e.EXE file is not segmented)) AND (EXE_IP != 0eh (all LZEXE-packed files, in par- ticular AIDSTEST scanner)) AND (EXE_stack < EXE_Image_Size OR EXE_stack > EXE_Image_Size+72h (a bug - should be 720h) Storage media affected: Interrupts hooked...: INT 21/4B, 21/3D, 21/43, 21/56, 21/D000, 24, 2A Damage..............: Permanent Damage: 1) First 32 bytes of DBF files are overwritten with 0C3H value. 2) Side Effects: Overlays are damaged, some EXE files won't operate properly - virus body might be overwritten by program's stack. Transient Damage: --- Damage Trigger......: Permanent Damage: 1) File[0]==03 (usually .DBF files signature) and executing or opening or renaming or Get/Set File Attribute of infected file. 2) Executing such OVL or EXE files. Transient Damage: --- Particularities.....: 1) Virus contains following emcrypted strings (not displayed): "Revenge of WARLOCK!", "STACK STACK STACK STAC", "COMMAND.COM", "EXE", "OVL", "DBF". 2) For some MS-DOS versions (prev. to 4.0), virus patches direct DOS entry. Otherwise, it simply intercepts INT 21 vector. Similarities........: Tunnelling is borrowed from Yankee_Doodle.TP. --------------------- Agents ------------------------------------------- Countermeasures.....: Countermeasures successful: Standard means......: Delete infected files, replace wth clean ones. --------------------- Acknowledgement ---------------------------------- Location............: Program Systems Institute, Russian Academy of Sciences, Pereslavl-Zalessky, Russia Classification by...: Dmitry O. Gryaznov Documentation by....: Dmitry O. Gryaznov Klaus Brunnstein (VTC, Virus Catalog entry) Date................: 17-July-1993 Information Source..: Reverse analysis of virus code .