Worm.DOS.Info

Class Worm
Platform DOS
Description

Technical Details


These are not dangerous memory resident encrypted stealth virus-worms.
Being executed they display the messages:

“Worm.Info.2142”:


-*- INFOSYSTEM -*-
version 1.04
(C) 1995 by Ziff Co.
Reading System Information…
Computer type: IBM PC

“Worm.Info.2191”:


InfoSystem version1.01
Reading System Information…
Computer type: IBM PC

“Worm.Info.2259”:


Reading System Information…
Computer type: IBM PC

then they check the type of computer and display one of the strings:


Original
XT
AT
Convertible
PS/2
Junior
Unknown

Then the virus displays the messages:


Checking HDD controller…
SCSI controller type: Unknown (Error14)

and calls the infection routine. While infecting the computer the virus
searches for directories that are listed in PATH string, creates there
INFO.COM files, and writes its code into there. Then the virus searches for
.BAT files in these directories and writes the commands:


@if not exist info.com goto noinfo
@info>nul
:noinfo

to the beginning of batch files. Being executed such BAT files run the
virus.

Then the virus installs itself memory resident into UMB, HMA or
conventional memory, hooks INT 1Ch, 21h and then drops its code into
current directories on FindFirst (AH=11h,4Eh) calls. On accessing to
modified BAT files, and on FindFirst/Next calls the virus calls stealth
routine. The virus also checks the name of the programs that are executed,
and if the name is CHDDSK, WEB or DRWEB the virus disables its stealth
routines.

By hooking INT 1Ch the virus checks INT 1 vector (tracing) and disables
tracing the virus code.

On Friday 13th the virus changes the VGA video ports.

The virus also contains the internal text strings:


COMMAND NET?.CHKDSK.WEB.DRWEB.INFO.COM ATH=*.BAT

Find out the statistics of the threats spreading in your region