ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ VIRUS REPORT ³ ³ Vacsina ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Date of Origin: August, 1989. Place of Origin: Sophia, Bulgaria. Host Machine: PC compatibles. Host Files: Remains resident. Infects COM, EXE, SYS, and BIN files. OnScreen Symptoms: An infected file may beep when executed. Increase in Size of Infected Files: 1206 bytes. Nature of Damage: Affects system run-time operation. Corrupts program or overlay files. Detected by: Scanv56+, F-Prot. Removed by: CleanUp, Scan/D/A, F-Prot, or delete infected files. Synonym: TP04VIR virus. Developed in Sophia, Bulgaria, and possibly first reported by reported by Chris Fischer in Germany in August, 1989. Vacsina takes over interrupt 21 and connects to COM and EXE files. Vacsina works on PC/MS-DOS ver. 2.0 or higher. It infects COM files increasing them by 1206 to 1221 bytes (placing the virus code on a paragraph start). It infects EXE files in two passes: After the first pass the EXE file is 132 bytes longer; after the second pass its size increases by an aditional 1206 to 1221 bytes. The virus installs a TSR in memory wich will infect executable files upon loading them (INT 21 subfunction 4B00) using 8208 bytes of memory. The only "function" found so far is an audible alarm or beep(BELL character) whenever another file is successfully infected. This suggests that this virus is a "draft", and more is to come. Vacsina infects COM files that are bigger than 04B6h bytes and smaller than F593h bytes and start with a JMP (E9h). Vacsina infects EXE files if they are smaller than FDB3 bytes (no lower limit). The virus is named "vacsina" because it opens a file named VACSINA. It doesn't check the return status of the open call, and never touches the file until the end of the virus code, where it closes the file (again ignoring the return code). It is believed that vacsina is a prematurely-escaped virus (or code built to detect viruses), and that the virus programmer will add some code in a later version of the virus. To detect the original virus, search for the word VACSINA (all capitals). ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º This document was adapted from the book "Computer Viruses", º º which is copyright and distributed by the National Computer º º Security Association. It contains information compiled from º º many sources. To the best of our knowledge, all information º º presented here is accurate. º º º º Please send any updates or corrections to the NCSA, Suite 309, º º 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS º º and upload the information: (202) 364-1304. Or call us voice at º º (202) 364-8252. This version was produced May 22, 1990. º º º º The NCSA is a non-profit organization dedicated to improving º º computer security. Membership in the association is just $45 per º º year. Copies of the book "Computer Viruses", which provides º º detailed information on over 145 viruses, can be obtained from º º the NCSA. Member price: $44; non-member price: $55. º º º º The document is copyright (c) 1990 NCSA. º º º º This document may be distributed in any format, providing º º this message is not removed or altered. º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ  Downloaded From P-80 International Information Systems 304-744-2253