| Description:
|
Details
HongKong.4056
This is a relatively harmless, memory resident encrypted parasitic virus. It writes itself to the end of COM files (except COMMAND.COM), to the middle of EXE files and to the MBR of the hard drive. When an infected file is executed, the virus infects the MBR of the hard drive, hooks INT 13h and 21h (as well as upon loading from infected MBR), and then infects files that are executed. By hooking INT 13h, the virus realizes its stealth routine and does not allow read/write from/to infect the MBR sector.
When an infected file is executed, the virus checks the command line. Depending on some characteristic in this line (double-byte Chinese letter?), the virus either disinfects the MBR, or displays the following message:
HONG KONG 1997
This message is also displayed by the virus on July 1st.
The virus uses several tricks. While infecting the MBR, it fills the Disk Partition Table with data that makes MS-DOS (including DOS 7.0) to go to endless loop while loading from a floppy disk. As a result, it is not possible to detect/disinfect this virus by loading from a non-infected floppy disk with an anti-virus or data rescue tool.
The second trick is on-the-fly en/decryption by using the Trace mode (INT 1). 90% of the virus' Assembler instructions are mixed with random junk bytes. By using a tracing mode, the virus skips these junk bytes. |
