Zero Bug virus

 


             *********************************************

             ***   Reports collected and collated by   ***

             ***            PC-Virus Index             ***

             ***      with full acknowledgements       ***

             ***            to the authors             ***

             *********************************************



 

===== Computer Virus Catalog 1.2: "Zero Bug" Virus (15-Feb-1990) =====


Entry...............: "Zero Bug"

Alias(es)...........: "ZBug","Palette"

Virus Strain........:

Virus detected when.: October 1989

              where.:

Classification......: Link-Virus (extending), RAM - resident

Length of Virus.....: .COM-Files increased by 1536 bytes

                           in RAM : 1792 bytes + environment


--------------------- Preconditions ----------------------------------


Operating System(s).: MS-DOS

Version/Release.....: 2.xx upward

Computer model(s)...: IBM - PC, XT, AT and compatibles


--------------------- Attributes -------------------------------------


Easy Identification.: Typical text in Virus body (readable with

                           HexDump-utilities): "ZE","COMSPEC=C:",

                           "C:\COMMAND.COM".

                      .COM files: "seconds" field of the timestamp

                           changed to 62 sec (similar to GhostBalls

                           original Vienna viruses).


Type of infection...: System: RAM-resident, infected if string "ZE"

                           is found at offset 0103h (INT 60h).

                      .COM file: extended by using CREATE-function.

                           Adds 1536 bytes to the beginning of the

                           file; a file will not be infected more

                           than once.

                      .EXE File: no infection.


Infection Trigger...: When function 3C00h (CREATE) and 4000h (WRITE)

                           of INT 21h is called (e.g. if you use

                           "COPY *.COM <destination>", then every

                           destination-file will be infected).


Interrupts hooked...: INT 60h,  INT 21h, INT 1Ch


Damage..............: Permanent Damage:

                      1.  Every time a .COM file is created in an

                          infected system with function 3Ch of INT

                          21h, the file will be infected.


                      Transient Damage:

                      1.  If INT 1Ch is hooked, every 14 sec INT 21h

                          will be set to the viruscode (programs which

                          hooked INT 21h will be unhooked and hang).

                      2.  All characters "0" (zero) will be exchanged

                          with other characters. Exchange characters

                          are 01h, 2Ah, 5Fh, 3Ch, 5Eh, 3Eh and 30h,

                          in which case the attribute is set to back-

                          ground color (i.e. the character is invi-

                          sible). This routine uses about 10% of CPU-

                          time (system is slowed down accordingly).

                      3.  Modifies the filelength in the Disk

                          Transfer Area (DTA): files doesnot appear

                          as infected. The length of the files with

                          seconds field of timestamp set to 62 sec

                          will be modified in DTA accordingly:

                          filelength := filelength - viruslength.


Damage Trigger......: Only if "C:\COMMAND.COM" is infected, INT 1Ch is

                          hooked  and damage is done.

                      After 240 reboots of system, the first damage

                          occurs. The next damage occurs after every

                          fifth reboot.


Particularities.....: In case of MS-DOS error in 2.xx, system can hang

                          by infection of "C:\COMMAND.COM".

                      Programs longer than 63728 bytes are not

                          executed correctly after infection.


--------------------- Agents -----------------------------------------


Countermeasures.....: Category 3: ANTI_ZBG.EXE (VTC Hamburg)


- ditto - successful: ANTI_ZBG.EXE finds and restores infected

                      programs.


        unsuccessful: Programs which check only the filelength of

                      infected files in an infected system may fail.


Standard means......: Notice .COM file length.


--------------------- Acknowledgement --------------------------------


Location............: Virus Test Center, University Hamburg, FRG

Classification by...: Stefan Tode

Documentation by....: Stefan Tode

Date................: January 20, 1990


===================== End of "Zero Bug"-Virus ========================

 


  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Comments

Post a Comment

Popular posts from this blog

BOTTOM LIVE script

                                  BOTTOM                                   ======                     by Adrian Edmondson and Rik Mayall                                 Bottom Live                                 ===========                               Richie  Rik Mayall                                Eddie  Adrian Edmondson Introduction ------------ [Opening shot of theatre, with huge pictures of Richie and Eddie. Caption: "Live from the Mayflower Theatre, Southampton".] Vox Pop 1:  So I'm hoping that this is a lot ruder than the TV, because             they can get away with it. [Cut to Ade's dressing-room door. It opens to reveal a clothes rail, its only contents a brown jacket.] Vox Pop 2:  I just think they're ace, you know, absolutely excellent. [Cut to dressing-gown, pan across a pair of glasses and a revolver.] Vox Pop 3:  It couldn't be too rude, I mean that's what young people want. [Rik's dressing-room door.]
Read more

Fawlty Towers script for "A Touch of Class"

Fawlty Towers A Touch of Class Written by John Cleese and Connie Booth First of first series, first broadcast on September 19, 1975 on BBC2 Transcribed by Jason R. Heimbaugh (jrh@uiuc.edu) on October 10, 1993 Basil Fawlty  John Cleese Sybil Fawlty  Prunella Scales Manuel        Andrew Sachs Polly         Connie Booth Major Gowen   Ballard Berkeley Miss Tibbs    Gilly Flower Miss Gatsby   Renee Roberts Lord Melbury  Michael Gwynn Danny Brown   Robin Ellis Sir Richard   Morris Martin Wyldeck Mr Watson     Lionel Wheeler Mr Wareing    Terence Conoley Mr Mackenzie  David Simeon               [The Fawlty Towers reception lobby. The main entrance is at the               back, with the stairs to the right. The entrance to the dining               room is in the right wall; on the left, the reception desk               running along the left wall, with the entrance to the office               behind it. The entrance to the bar is beyond the desk.] Basil         [on th
Read more