ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
                    ³        VIRUS REPORT         ³
                    ³           Vienna            ³
                    ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

Synonyms: Austrian, One in Eight, DOS-62, DOS-68, 648, UNESCO virus.

Date of Origin: December, 1987.

Place of Origin: Vienna, Austria.

Host Machine: PC compatibles.

Host Files: COMMAND.COM, COM files.

Increase in Size of Infected Files: 648 bytes.

Nature of Damage: Corrupts program or overlay files.

Detected by: Scanv56+, F-Prot.

Removed by: M-VIENNA, CleanUp, VirClean, F-Prot..

Scan Code: You can search at offset 005H for 8B F2 83 C6 0A 90 BF 00 01
B9.

History: The virus was first detected in Vienna in December, 1987. In
April, 1988, this virus surfaced in Moscow at a children's summer
computer camp run by UNESCO. Someone who didn't know of its prior
existence in Austria gave it the name DOS-62, presumably because its
method of indicating an already infected file is to set the seconds field
of the time entry of the file to 62.<Note: Contributed by Y. Radai.>

Description of Operation: This virus is a memory resident virus. It
infects COM files (including COMMAND.COM) as they are loaded and
executed. The infected files increase in size by approximately 648
bytes. Some infected programs will not run.

     The first three bytes of the program are stored in the virus, and
replaced by a branch to the beginning of the virus.  The virus looks for,
and infects, one COM file - either in the current directory or in one of
the directories on the PATH.

     One in eight files infected does not get a copy of the virus. 
Instead the first five bytes of the program are replaced by a far jump to
the BIOS initialization routine. That is, in one out of eight attempted
infections, the system will perform a warm reboot when the infected
program is run.

Removal: To remove the virus, follow the instructions provided for the
Jerusalem virus or run M-VIENNA.


ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º  This document was adapted from the book "Computer Viruses",       º
º  which is copyright and distributed by the National Computer       º
º  Security Association. It contains information compiled from       º
º  many sources. To the best of our knowledge, all information       º
º  presented here is accurate.                                       º
º                                                                    º
º  Please send any updates or corrections to the NCSA, Suite 309,    º
º  4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS  º
º  and upload the information: (202) 364-1304. Or call us voice at   º
º  (202) 364-8252. This version was produced May 22, 1990.           º
º                                                                    º
º  The NCSA is a non-profit organization dedicated to improving      º
º  computer security. Membership in the association is just $45 per  º
º  year. Copies of the book "Computer Viruses", which provides       º
º  detailed information on over 145 viruses, can be obtained from    º
º  the NCSA. Member price: $44; non-member price: $55.               º
º                                                                    º
º            The document is copyright (c) 1990 NCSA.                º
º                                                                    º
º  This document may be distributed in any format, providing         º
º  this message is not removed or altered.                           º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ

Downloaded From P-80 International Information Systems 304-744-2253