Kaspersky Threats

Class

Platform

Description

Technical Details

These are dangerous memory-resident encrypted parasitic stealth
viruses. They infect, in a standard way, COM, EXE and OVL files whenever they
are started or closed.

This virus hooks and handles 16 functions of the 21h interrupt. This virus
creates the file “C:FISH-#9.TBL,” into which it writes the hard-disk MBR and the following phrase:



“FISH VIRUS #9 A Whale is no Fish! Mind her Mutant Fish and the hidden Fish

Eggs for they are damaging. The sixth Fish mutates only if Whale is in her

Cave”.

From February 19th until March 10th, the virus hangs up the system, and displays
the following string:



“THE WHALE IN SEARCH OF THE 8 FISH I AM ‘~knzyvo}’ IN HAMBURG”.

It is very difficult to analyze this virus, because all 9Kb of its code are
full of program traps hampering a trace, disassembling and analysis the
virus. If the virus listing is to be printed, you should check a dozen
special programming methods (dynamic de/enciphering, dummies, use of
conveyor, code cipher nesting and so on). As a file is infected, the encrypted
virus body is written to it so as a decipher should check 30 variants. That
is, you have to use 30 masks to find the virus in the file.

The virus also contains the strings: “THE WHALE”, “5HS5IF”, “5IF5HS”. It
hooks INT 9, 21h.

Class	Virus
Platform	DOS
Description	Technical Details These are dangerous memory-resident encrypted parasitic stealth viruses. They infect, in a standard way, COM, EXE and OVL files whenever they are started or closed. This virus hooks and handles 16 functions of the 21h interrupt. This virus creates the file “C:FISH-#9.TBL,” into which it writes the hard-disk MBR and the following phrase: “FISH VIRUS #9 A Whale is no Fish! Mind her Mutant Fish and the hidden Fish Eggs for they are damaging. The sixth Fish mutates only if Whale is in her Cave”. From February 19th until March 10th, the virus hangs up the system, and displays the following string: “THE WHALE IN SEARCH OF THE 8 FISH I AM ‘~knzyvo}’ IN HAMBURG”. It is very difficult to analyze this virus, because all 9Kb of its code are full of program traps hampering a trace, disassembling and analysis the virus. If the virus listing is to be printed, you should check a dozen special programming methods (dynamic de/enciphering, dummies, use of conveyor, code cipher nesting and so on). As a file is infected, the encrypted virus body is written to it so as a decipher should check 30 variants. That is, you have to use 30 masks to find the virus in the file. The virus also contains the strings: “THE WHALE”, “5HS5IF”, “5IF5HS”. It hooks INT 9, 21h.

Virus.DOS.Whale

Technical Details