April1st (SURIV) Famil

April1st (SURIV) Famil
Details April1st (SURIV) Family April1st.COM family These are dangerous memory resident parasitic viruses. On installation into the system memory these viruses use the part of “Jerusalem” virus scheme. These viruses hooksINT 21h and write themselves at .COM-files beginnings on execution of such files. They do not hit the COMMAND.COM file. They do not check file length and corrupt some files instead of infection. On infection they: create temporary TMP$$TMP.COM file; write themselves into that file; write to that file host file body; delete the host file; rename TMP$$TMP.COM back to original name. The viruses manifest themselves by video effects. On April, 1st “April1st.COM.a,b” displays the message: “APRIL 1ST HA HA HA YOU HAVE A VIRUS”, and halts the system. On the following days the viruses report: “YOU HAVE A VIRUS !!”. On July, 5th “April1st.COM.b2” displays: “ENGLISH SUCKERS DIE IN BUENOS AIRES!”. They contain the internal texts: “COMMAND.COM”, “TMP$$TMP.COM” and: “April1st.COM.a”: sURIV 1.01 “April1st.COM.b”: Suriv 4.02 “April1st.COM.b2”: cOcK!sUcKrI MADE IN ARGENTINA91 April1st.EXE This is a dangerous memory-resident file virus that affects .EXE-files on their execution. It is dangerous because it works incorrectly with the file length. On infection the virus incorporates into the middle of the file between the EXE header and the executable module. While infecting the virus: creates the TMP$$TMP.EXE file; reads from an infected file the first 1Bh bytes of the header, modifies those bytes that correspond to the module length, start values CS, IP, SS, SP, check sum of the file (value 1984h is set); then writes the modified header into TMP$$TMP.EXE; copies the relocation table from the infected file into TMP$$TMP.EXE, modifying it by the method described below; adds to TMP$$TMP.EXE both the copy of the virus and the executable module of the infected file; deletes the infected file; gives the name of the infected file to TMP$$TMP.EXE; Uninfected file Infected file +———–+ +———–+ ¦EXE header ¦ ——-> ¦EXE header ¦ +———–¦ +———–¦ ¦Executable ¦ —+ ¦Virus ¦ ¦module ¦ ¦ ¦ ¦ ¦ ¦ ¦ +———–¦ ¦ ¦ -+ +—> ¦Executable ¦ +———–+ ¦ ¦module ¦ ¦ ¦ ¦ +—–> ¦ ¦ +———–+ The file executable module when being infected is shifted some bytes equal to the length of the virus, so the virus has to modify respectively the relocation table: the bytes in every element of the relocation table, corresponding to the segment shift, are increased by the amount, equal to the virus length in paragraphs. On creating its memory-resident copy the virus uses a part of the “Jerusalem” virus scheme. Since April 1, 1988 the virus deciphers (XOR FFh) and displays the text: “APRIL 1ST HA HA HA YOU HAVE A VIRUS”. Then it hangs up the system. On the following days the text does not appear, but approximately 55 minutes after the system is activated it hangs up. The virus hooks INT 21h and depending on the current date might hook INT 1Ch. The virus contains the strings “sURIV” and “TMP$$TMP.EXE”. AntiD “April1st.COM” family. This virus hooks INT 9 and after the 32th pressing the ‘D’-key this key ‘mutes’: the code of this key is not inserted into the keyboard buffer.

Leave a Reply

Your email address will not be published. Required fields are marked *