Autumn (Leaves) Virus

Antivirus
Virus Type Antivirus Products Antivirus Reviews Norton AntiVirus

Network Security
Listing of Virus Threats & Risks Virus Disinfection Instruction

Help
Buyer's Guide Symantec Feature Articles Security News

links
Related Links Helpful Links

Visitor Focus
Software Free Download Freeware Download Global Info System Matrix Directory Free Antivirus Software

You are here:Home→Antivirus→Virus Type→Autumn (Leaves) Virus

Autumn (Leaves) Virus
Written by yangying
February 21, 2008 13:16
Autumn (Leaves) Virus Alias: Blackjack, 1704, Herbst(laub), Cascade A-Virus Strain: Cascade- = Autumn- =Herbst-Virus detected when: September 1988 where: University of Konstanz, FRG Classification: Program Virus (extending .COM), RAM resident Length: .COM filelength increases by 1704 byte Preconditions Operating System(s): MS-DOS Version/Release: 2.xx upward Computer model(s): IBM-PC, XT, AT and compatibles Caroname: Cascade.1704.A Attributes Easy identification: --- Type of Infection: System: is infected if the call of interrupt 21h with function 4Bh and subfunction FFh is possible and without error and 55AAh is returned in DI- register. .COM file: Program virus, increases COM files by 1704 Byte. A .COM file is infected if the first instruction is a three byte jump with DISP16 = (filelength minus viruslength). .EXE file: no infection. Infection Technique: Infection Trigger: Infects all files that are loaded via the function 4Bh and subfunction 00h of the interrupt 21h (MS-DOS uses this function to start any program) Storage Media affected: Interrupts hooked: Int21h, Int28h (only if Clockdevice Year = 1980), Int1Ch (only if damage is triggered) Stealth: Tunneling/Selfprot: Oligo/Polymorphism: Encoding Method: Damage: Transient Damage: Modifies screen by making the characters on the screen "fall down" on the screen in connection with clicking noises. Damage Trigger: IF function GetDate returns with 1. ( year=1988 AND month>= 10 ) OR 2. ( year=1980 AND 2.1. clock is changed by user to year=1988 month>=10 OR 2.2. clock is changed by user to year>1988 ) AND a random number generator activates damage. Particularities: 1. If the system is _not_ infected, the invocation of an infected program produces errors (system crash is possible). 2. COM-files up to a length of 63800 bytes will be infected, but files with a length of more than 63576 bytes are not loadable after infection. 3. The virus-program is encoded, dependent of the .COM-filelength. 4. The distinction between .EXE and .COM files is made by testing the "magic number (MZ)" in the .EXE-Header. Similarities: Agents Countermeasures: ANTIHBST.EXE is an antivirus that only looks for the HERBST-virus and, if requested, will restore the file. Standard means: --- Acknowledgements Location: Virus Test Center, University Hamburg, FRG Classification by: Michael Reinschmiedt Documentation by: Michael Reinschmiedt Morton Swimmer Date: July 15, 1989
German : Herbst (Blätter) Virus
Spanish : Otoño (Hojas) Virus
French : Automne (feuilles) Virus
Japanese : 秋（葉）ウイルス
Russian : Осень (листья) Вирус