Plovdiv 1.3 Virus

Antivirus
Virus Type Antivirus Products Antivirus Reviews Norton AntiVirus

Network Security
Listing of Virus Threats & Risks Virus Disinfection Instruction

Help
Buyer's Guide Symantec Feature Articles Security News

links
Related Links Helpful Links

Visitor Focus
Software Free Download Freeware Download Global Info System Matrix Directory Free Antivirus Software

You are here:Home→Antivirus→Virus Type→Plovdiv 1.3 Virus

Plovdiv 1.3 Virus
Written by yangying
February 21, 2008 13:15
Plovdiv 1.3 Virus Alias: Damage 1.3 Virus Strain: Damage Virus Strain detected when: September 1991 where: Plovdiv, Bulgaria Classification: Program virus, Extending, Resident Length: 1,000 in files, 1,328 bytes in memory Preconditions Operating System(s): MS-DOS Version/Release: 2.xx and upward, special support for 3.30 Computer model(s): IBM-PC, XT, AT and compatibles Caroname: Plovdiv.1_3.A Attributes Easy identification: The virus contains the string "(c)Damage inc. Ver 1.3 1991 Plovdiv S.A.". Type of Infection: Self-Identification: The virus identifies infection by seconds field in file time. Executable Files: Size increased by 1,000 bytes. System infection: RAM-resident. Allocates a memory block at high end of memory by 1,344 bytes. If MS-DOS version is 3.30, virus finds original address of INT 21h and INT 13h handlers, thus bypassing active monitors. Infection Technique: Infection Trigger: Programs are infected at load time (using the function Load/Execute of MS-DOS), and when- ever a .COM or .EXE file is Opened. Storage Media affected: Any logical drive that is the "current" drive. Interrupts hooked: INT 21h functions 4Bh, 3Dh are used to infect files. Functions 11h and 12h are used to hide virus infection in files. INT 24h and INT 13h are temporary captured to mask out errors. INT 32h contains original INT 21h handler. Stealth: Tunneling/Selfprot: Oligo/Polymorphism: Encoding Method: Damage: The virus formats all available tracks on the current drive. Damage Trigger: The virus carries an evolution counter that is decreased every time the virus is executed. Upon counter = 0, the virus reads the system timer. If the value of hundreds is greater than 50, the virus will format all available tracks on the current drive (effectively a 50% chance of destruction). "Current" drive is any logical drive on which file is opened, executed or searched thru FindFirst/FindNext. Particularities: The virus knocks out the transient part of COMMAND.COM forcing it to be reloaded and thereby infected. Similarities: Damage 1.1 Virus Agents Countermeasures: VirusClinic 2.00.007+ (Ivan Trifonoff) Standard means: text search of string "Damage" Acknowledgements Location: Laboratory of Computer Virology, Bulgarian Academy of Scienc Classification by: Ivan Trifonoff Documentation by: Ivan Trifonoff Date: 2-October-1991 Information Source: ---
German : Plovdiv 1/3 Virus
Spanish : Plovdiv Virus 1.3
French : Plovdiv Virus 1.3
Japanese : プロブディフ1.3ウイルス
Russian : Пловдив 1,3 Вирус