| Alias: | Cansu, Sigalit Virus |
| Strain: | V-Sign Virus Strain |
| detected when: | Turkey |
| where: | February 1992 |
| Classification: | Boot sector and partition table infector, oligomorphic, memo |
| Length: | 1) Length on media: 38 bytes + 2 sectors 2) Length in memory: 2 kByte |
Preconditions |
| Operating System(s): | MS-DOS |
| Version/Release: | --- |
| Computer model(s): | IBM - PCs, XT, AT, upward and compatibles |
| Caroname: | V-Sign |
Attributes |
| Easy identification: | Search string (hex pattern) with wildcards (?): 1272 FA?? ???? ???? ???? ???? ???? ??CD 1372 EAE9 A601 7698 |
Type of Infection: | Upon booting from an infected diskette, the virus makes itself memory resident in highest available 2 kByte below 640 kByte; system space is decreased by 2,048 bytes. After that, virus hooks INT 13h and modifies the boot sector image in memory by restoring the 38 bytes previously overwritten; control is then transferred to the original boot sector. On a previously not-infected hard disk, memory resident virus will infect HD partition table on first HD access; moreover, boot sectors on any not write-protected diskette accessed during memory residence of virus will be infected. The second part of the virus body is located at different places, depending on the size of the infected medium: Track: Head: Sectors: Medium: 0 0 4-5 Hard disk 0 1 2-3 5.25" DD diskette 0 1 13-14 5.25" HD diskette 0 1 4-5 3.5" DD diskette 0 1 14-15 3.5" HD diskette Upon every infection, virus increments a counter; when Counter AND Mask=0, transient damage is triggered (see below). Self-identification: After intercepting all read/write operations, virus checks for an existing infection using 9876h marker. |
| Infection Technique: | |
| Infection Trigger: | Booting from an infected medium (floppy boot sector, HD partition table) |
| Storage Media affected: | Any hard disk and floppy diskette. Remark: due to a bug, all diskettes infected in drive B: will try to load the second part of the virus body from that drive and thus will be non-infective (except if you happen to have two infected diskettes of one and the same size and capacity in both drives during the bootstrap). When booting from such floppies, virus attempts to read 2 sectors from B: and, if unsuccessful, system hangs. |
| Interrupts hooked: | INT 13h |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | V-Sign is oligomorphic (mild form of polymorphism), so it can be detected with a search string con- taining wildcards (see Search string). Oligo- morphism is generated in the 38 byte code. |
| Encoding Method: | --- |
| Damage: | Permanent HD damage: upon HD infection, V-Sign saves 38 bytes of partition table in its code and overwrites Side 0, Cyl.0, Sector 1; moreover, it saves the rest of its code on Side 0, Cyl.0, Sectors 4+5. Partition table is NOT saved. Permanent FD damage: upon floppy infection, virus saves 38 bytes of floppy boot sector in its code and overwrites original bootsector; moreover, it saves the rest of its code in last 2 sectors of root directory (see remark). Original boot sector is NOT saved. Transient damage: dependent on trigger con- dition, the virus displays a block graphic showing a Victory sign; then, system hangs. |
| Damage Trigger: | Permanent (HD,FD) damage trigger: overwriting action during infection process. Transient damage: triggered when Infection Counter AND Mask = 0; Mask differs between variants: Variant 3F: every 64th infection Variant 1F: every 32nd infection. |
| Particularities: | --- |
| Similarities: | Infection method similar to Stoned viruses |
Agents |
| Countermeasures: | McAfee Scan V95+, Skulason F-PROT 2.05+, Solomon FINDVIRU 6.02, IBM's VirScan 2.2.3A and VirX 2.5+ detect V-Sign (other scanners may also detect V-Sign but were not tested). |
| Standard means: | 1) Boot from clean system; reconstruct 38 original boot sector bytes from virus analysis. 2) Use SYS to destroy virus; reformat diskette after COPYing essential files. 3) Use FDISK/MBR (DOS 5) to reconstruct MBR. |
Acknowledgements |
| Location: | Virus Test Center, University Hamburg, Germany |
| Classification by: | Klaus Brunnstein |
| Documentation by: | 1) Fridrik Skulason: Virus Bulletin July 1992 2) David Chess |
| Date: | 22-December-1992 |