"8-Tunes" Virus

 


             *********************************************

             ***   Reports collected and collated by   ***

             ***            PC-Virus Index             ***

             ***      with full acknowledgements       ***

             ***            to the authors             ***

             *********************************************


 

===== Computer Virus Catalog 1.2: "8-TUNES" Virus (11-JUN-1990) =====


Entry...............: "8-Tunes" Virus

Alias(es)...........: "1971" Virus

Virus Strain........: ---

Virus detected when.: ---

              where.: ---

Classification......: Link-virus (extending), RAM-resident

Length of Virus.....: .COM files: program length increases by

                          1971-1986 bytes: (length -3) mod 16 = 0.

                      .EXE files: program length increases by

                          1971-1986 bytes: (length -3) mod 16 = 0.


------------------- Preconditions -----------------------------------

Operating System(s).: MS-DOS

Version/Release.....: 2.xx upward

Computer model(s)...: IBM-PC, XT, AT and compatibles


------------------- Attributes --------------------------------------

Easy Identification.: Typical texts in Virus body (readable

                         with HexDump-facilities):"COMMAND.COM" in the

                         data area of the virus; increased filelength

                         if the file is infected.


Type of infection...: System: infected if function E00Fh of INT 21h

                         returns the value 4C31h in the AX-register.

                      .Com files: program length increases by

                         1971-1986 bytes; if infected, the bytes

                         007h,01fh,05fh,

                         05eh,05ah,059h,05bh,058h,02eh,0ffh,02eh,00bh,

                         000h are found 62 bytes before end of file; a

                         .COM file will only be infected once.  .COM

                         files will not be infected if filelength<8177

                         and filelength>63296; virus will be linked to

                         the end of the program.


                      .EXE files: program length increases by

                         1971-1987 bytes.  If it is infected the bytes

                         007h, 01fh, 05fh, 05eh, 05ah, 059h, 05bh,

                         058h, 02eh, 0ffh, 02eh, 00bh, 000h are found

                         62 bytes before end of file; an .EXE file

                         will only be infected once; .EXE files will

                         not be infected if filelength<8177; virus

                         will be linked to the end of the program.


Infection Trigger...: Programs are infected during load procedure

                         (Load/Execute-function of Ms-Dos).


Interrupts hooked...: INT21h, INT08h (only if triggered),

                      INT24h (only while infecting a file)


Damage..............: Transient Damage:

                      After 30 minutes, the virus will play one of

                      eigth melodies (random selection). After a short

                      time, the virus will play a melody again.


Damage Trigger......: Damage occurs 90 days after the file infection.


Particularities.....: 1. COMMAND.COM will not be infected.

                      2. Normally, the virus will stay resident at the

                            end of the available memory; only if the

                            memory is fragmented by special software,

                            the virus may become resident (via Dos-

                            function 31h).

                      3. One function (0E00Fh) used by Novell- Netware

                            4.0 can't be accessed anymore.

                      4. The damage occurs immediately when processing

                            a file with creation date before 1984.

                      5. During a file infection, the virus looks for

                            "BOMBSQAD.COM", an antivirus-tool control-

                            ling accesses to disks; if found, the

                            virus will deactivate it (tested with

                            BOMBSQAD V. 1.2).

                      6. During a file infection, the virus looks for

                            "FSP.COM" (Flushot+), an antivirus tool

                            controlling accesses to disks, files etc.

                            If found, the virus will stop file

                            infection (tested with FLUSHOT V. 1.4).


-------------------- Acknowledgement ---------------------------------


Location............: Virus Test Center, University Hamburg, FRG

Classification by...: Thomas Lippke, Michael Reinschmiedt

Documentation by....: Michael Reinschmiedt, Thomas Lippke

Date................: 11-JUN-1990



==================== End of "8-TUNES"-Virus ==========================



  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Comments

Post a Comment

Popular posts from this blog

WHAT THE WATCH TOWER BIBLE AND TRACT SOCIETY OF PENNSYLVANIA HAD TO SAY ABOUT WHAT WERE SUPPOSED TO HAVE HAPPENED in 1874

  AWAKEN                                                     Issue #33   1874 - WHAT THE WATCH TOWER BIBLE AND TRACT SOCIETY OF PENNSYLVANIA        HAD TO SAY ABOUT WHAT WERE SUPPOSED TO HAVE HAPPENED THEN.   This issue will comprise mainly of quotes from Watch Tower publications. Present day Jehovah's Witnesses are unlikely to be aware of any of this material. Why ? The Watch Tower had changed it's theology and does not bother to let it's followers know facts about the past especially since the present theology is totally contradictory to what was promoted in the past. Both sets of incompatible conjectures were promoted as being found  and proven in Scriptures. Prior to 1943 if a follower of the Watch Tower questioned any of the Watch Tower's teaching about 1874, that person risked getting kicked out of the group ...
Read more

Uninterruptable Power Source (UPS) FAQ

Article 61549 of news.answers: Xref: freenet.carleton.ca comp.misc:25723 comp.sys.hp.hardware:5708 comp.sys.sun.hardware:24796 comp.sys.sgi.hardware:9261 comp.sys.next.hardware:16000 comp.sys.dec:27561 comp.unix.admin:28511 comp.answers:8765 news.answers:33422 Path: freenet.carleton.ca!cunews!nott!bcarh189.bnr.ca!bcarh8ac.bnr.ca!bnr.co.uk!pipex!howland.reston.ans.net!news.cac.psu.edu!news.pop.psu.edu!hudson.lm.com!netline-fddi.jpl.nasa.gov!phoebe.jpl.nasa.gov!root From: ups@navigator.jpl.nasa.gov Newsgroups: comp.misc,comp.sys.hp.hardware,comp.sys.sun.hardware,comp.sys.sgi.hardware,comp.sys.next.hardware,comp.sys.ibm.hardware,comp.sys.dec,comp.unix.admin,comp.answers,news.answers Subject: Uninterruptible Power Source FAQ Followup-To: comp.misc Date: 10 Dec 1994 13:09:38 GMT Organization: Jet Propulsion Laboratory, Pasadena, CA Lines: 1346 Approved: news-answers-request@MIT.Edu Distribution: world Message-ID: <3cc9ai$fus@phoebe.jpl.nasa.gov> Reply-To: npc@minotaur.j...
Read more

Blade Runner FAQ

Archive-Name: movies/bladerunner-faq Version: 1.4 (May 1993) -------------------------------------------------------------------------------                                  BLADE RUNNER                            Frequently Asked Questions                        Copyright (C) 1993 Murray Chapman ------------------------------------------------------------------------------- Compiled by Murray Chapman (muzzle@cs.uq.oz.au), from sources too numerous to mention.  Thank-you one and all.                                INTRODUCTION                                ------------ The movie "Blade Runner"...
Read more