                    Ŀ
                            VIRUS REPORT         
                            Palette Virus        
                    

Synonyms: Zero Bug virus, 1536 virus

Date of Origin: September, 1989.

Place of Origin: The Netherlands

Host Machine: PC compatibles.

Host Files: COM files. Memory resident.

Increase in Size of Infected Files: 1536 bytes.

Detected by: Scanv38+, F-Prot.

Removed by: Scan/D, F-Prot, or delete the infected files.

Scan Code: EB 2B 90 5A 45 CD 60 2E C6 06 25 06 01 90 2E 80 3E 26 06 00 8D
3E 08 06 0E 07 75 5E 2E C6 06 26 06 05 90.

     This virus infects .COM files, causing them to grow by 1536 bytes,
but its main mission is to infect the copy of COMMAND.COM that is pointed
to by the environment variable COMSPEC. If COMSPEC does not point to
anything useful, the virus will install itself as a resident extension,
taking over INT 21h.

     From the moment the virus has infected COMMAND.COM or has installed
itself as a TSR, the virus will intercept DOS INT 21h, function calls 11h
(find first file), 12h (find next file), 57 (get/set file date & time),
3Eh (close file), 40h (write to file or device) and 3Ch (create file).

     All COM files that are accessed via function calls 3Ch, 3Eh and 40h
(by DOS itself or from any other program) will be infected by the virus.
This includes actions like COPY and XCOPY. Any COM file you create by
yourself via a compiler, linker, DEBUG or EXE2BIN will also be infected.

     The extra 1536 bytes in infected files will not show up when you
display a directory of your disk. The virus intercepts DOS function
calls Find First, Find Next and Get/Set file date & time. If a COM file
found by these DOS functions has been infected by the virus, the
information in the DTA (Disk Transfer Area) will be changed to show the
actual filesize minus 1536 bytes. DIR and most full-screen file
utilities (Like Norton and PCTOOLS) will be fooled by this trick. This
makes it very hard to detect the virus by simply checking the size of COM
files, because infected files will show up with their ORIGINAL size!

     If (and only if) the currently loaded COMMAND.COM is infected, the
virus will also hook the timer interrupt 1Ch. After a while a smiley face
(ASCII character 01) will move over your screen and "eat" all zeroes it
can find. Hence the name "Zero Bug" for this virus. The virus does not
format disks or erase files.

     The virus seems not to be spread very widely and may be rather new.


ͻ
  This document was adapted from the book "Computer Viruses",       
  which is copyright and distributed by the National Computer       
  Security Association. It contains information compiled from       
  many sources. To the best of our knowledge, all information       
  presented here is accurate.                                       
                                                                    
  Please send any updates or corrections to the NCSA, Suite 309,    
  4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS  
  and upload the information: (202) 364-1304. Or call us voice at   
  (202) 364-8252. This version was produced May 22, 1990.           
                                                                    
  The NCSA is a non-profit organization dedicated to improving      
  computer security. Membership in the association is just $45 per  
  year. Copies of the book "Computer Viruses", which provides       
  detailed information on over 145 viruses, can be obtained from    
  the NCSA. Member price: $44; non-member price: $55.               
                                                                    
            The document is copyright (c) 1990 NCSA.                
                                                                    
  This document may be distributed in any format, providing         
  this message is not removed or altered.                           
ͼ

Downloaded From P-80 International Information Systems 304-744-2253
