| Alias: | Variable, Chameleon, Camouflage, Stealth, V2P1 |
| Strain: | distantly related to Vienna strain |
| detected when: | |
| where: | |
| Classification: | Program Virus with direct action, COM infector |
| Length: | 1260 Bytes |
Preconditions |
| Operating System(s): | MS-DOS |
| Version/Release: | 2.xx and upwards |
| Computer model(s): | IBM PC's and compatibles |
| Caroname: | V2Px.V2P1 |
Attributes |
| Easy identification: | The seconds field of the timestamp of any infected program will be 62 seconds. |
Type of Infection: | Program virus with direct action. It only in- fects files with COM extension. It replaces first 3 bytes with a jump to the virus. |
| Infection Technique: | |
| Infection Trigger: | Execution of an infected file |
| Storage Media affected: | The virus will infect any COM file in the current directory. |
| Interrupts hooked: | INT 1 and INT 3 while virus is executing |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | transient: --- permanent: --- |
| Damage Trigger: | |
| Particularities: | The actual virus code is encrypted once over the whole code, and various single bytes are also encrypted throughout the virus. These bytes are decrypted prior to exec- ution, using its INT 3 (break point) routine to decrypt, and its INT 1 (trace) routine to encrypt. The encryption routine used to decrypt the entire virus is obscur- red by the addition of irrelevant instruc- tions and by scrambling the order of the instructions from infection to infection. As a consequence of this stealth technique, it is not possible to extract any scan string from this virus at all. |
| Similarities: | The virus is similar to Vienna virus, but highly modified, to contain the encryption methods described above. |
Agents |
| Countermeasures: | |
| Standard means: | |
Acknowledgements |
| Location: | Virus Test Center, University Hamburg, Germany |
| Classification by: | Morton Swimmer |
| Documentation by: | Morton Swimmer |
| Date: | 12-February-1991 |