|
NCSA Virus Report #136
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
???????????????????????????????
? VIRUS REPORT ?
? Vienna ?
???????????????????????????????
Synonyms: Austrian, One in Eight, DOS-62, DOS-68, 648, UNESCO virus.
Date of Origin: December, 1987.
Place of Origin: Vienna, Austria.
Host Machine: PC compatibles.
Host Files: COMMAND.COM, COM files.
Increase in Size of Infected Files: 648 bytes.
Nature of Damage: Corrupts program or overlay files.
Detected by: Scanv56+, F-Prot.
Removed by: M-VIENNA, CleanUp, VirClean, F-Prot..
Scan Code: You can search at offset 005H for 8B F2 83 C6 0A 90 BF 00 01
B9.
History: The virus was first detected in Vienna in December, 1987. In
April, 1988, this virus surfaced in Moscow at a children's summer
computer camp run by UNESCO. Someone who didn't know of its prior
existence in Austria gave it the name DOS-62, presumably because its
method of indicating an already infected file is to set the seconds field
of the time entry of the file to 62.<Note: Contributed by Y. Radai.>
Description of Operation: This virus is a memory resident virus. It
infects COM files (including COMMAND.COM) as they are loaded and
executed. The infected files increase in size by approximately 648
bytes. Some infected programs will not run.
The first three bytes of the program are stored in the virus, and
replaced by a branch to the beginning of the virus. The virus looks for,
and infects, one COM file - either in the current directory or in one of
the directories on the PATH.
One in eight files infected does not get a copy of the virus.
Instead the first five bytes of the program are replaced by a far jump to
the BIOS initialization routine. That is, in one out of eight attempted
infections, the system will perform a warm reboot when the infected
program is run.
Removal: To remove the virus, follow the instructions provided for the
Jerusalem virus or run M-VIENNA.
??????????????????????????????????????????????????????????????????????
? This document was adapted from the book "Computer Viruses", ?
? which is copyright and distributed by the National Computer ?
? Security Association. It contains information compiled from ?
? many sources. To the best of our knowledge, all information ?
? presented here is accurate. ?
? ?
? Please send any updates or corrections to the NCSA, Suite 309, ?
? 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS ?
? and upload the information: (202) 364-1304. Or call us voice at ?
? (202) 364-8252. This version was produced May 22, 1990. ?
? ?
? The NCSA is a non-profit organization dedicated to improving ?
? computer security. Membership in the association is just $45 per ?
? year. Copies of the book "Computer Viruses", which provides ?
? detailed information on over 145 viruses, can be obtained from ?
? the NCSA. Member price: $44; non-member price: $55. ?
? ?
? The document is copyright © 1990 NCSA. ?
? ?
? This document may be distributed in any format, providing ?
? this message is not removed or altered. ?
??????????????????????????????????????????????????????????????????????
|
|
