The distribution package of Telemate v4.11, TM411- 4.ZIP, contains a
LHA-packed self-extracting package named VESA.EXE. The package contains
VESA drivers for different video cards, including the files 37VESA.COM
and 67VESA.COM meant for the OAK video card. Both of these files are
When an infected program is executed, the virus infects up to four COM
files in the default directory. The size of these files must be between
121 and 64768 bytes. The virus places its code in the end of
contaminated files. Although the virus is will not infect files
protected with the Read-only attribute, it will infect hidden and system
files. In some cases the virus damages a file while trying to infect it.
The virus performs three checks before infecting a file. First, it
checks whether the file begins with the command INT 20h After this, the
virus examines the fourth byte in the file. If it is 1 (ASCII 1 is a
smiling face), the virus assumes it has already infected the file and
refrains from reinfecting it. After checking the file itself, the virus
inspects its name. If the sixth and seventh letters in the file name are
'N' and 'D', the virus concludes that the file in question is the
command interpreter COMMAND.COM, and does not infect it.
It is likely that the virus checks the beginning of files for the INT
20h command in order to avoid infecting bait files created by virus
researchers. As files which begin with this command will not do anything
except exit to DOS, they are often used by researchers. When a virus
infects such a simple file, the actual viruscode is easy to study. The
creator of the virus has probably wanted to stop his virus from
infecting baits in order to make the lifes of virus researches even
a little bit harder. It seems, however, that during the testing of the
virus it was modified to infect also files beginning with the interrupt
20h. For some reason, probably simple forgetfulness on the part of the
writer, this modification was never switched off, and the virus still
infects such files regardless of the test.
The virus uses the fourth byte in a file to ascertain the purity of its
victim. If the file's fourth byte is not 1, the virus judges the file to
be uninfected and promptly remedies the situation. Although the virus
usually leaves its victim's modification date unchanged, it contains a
bug which in some cases causes the date and time of infected files to
show the time of infection. The bug arises when there are several
COM files in the same directory, only some of which can be infected
by the virus.
The virus is quite simple, and is only 302 bytes in length. The virus
does not contain activation routines. The viral code contains the text
'Goddamn Butterflies', indicating that its creator either has no love
for butterflies or has borrowed the text from an old Donald Duck story.
Butterfly's extensive spreading created another kind of a problem,
however: with it, many virus enthusiasts acquired a personal copy of a
simple, functional and easily modifiable virus. A flow of new Butterfly
variants followed soon after.
In the middle of July, a counterfeit copy of the popular LIST program
was released in USA. The latest real version of LIST at the time was
v7.8, but the fake claimed the version number 8.2. The program had been
infected with a slightly modified version of Butterfly - only the text
the virus contains had been changed. The original virus contains the
text "Goddamn Butterflies" at the end of its code. In its place, the new
FJM version has an obscene comment about John Mcafee, the creator of the
SCAN antivirus application.
Although both versions of Butterfly use the same code, the FJM variant
may yet prove a more successful infector than the original. That is
because Butterfly only infects files in the current directory. Most users
install auxiliary programs such as LIST somewhere along the hard
disk's path to make them easily accessible. When the infected LIST is
executed from some other directory, the virus can jump the directory
boundary that normally limits its spreading.
Another descendant of the Butterfly virus was found in the middle of
August. Yet again, the new variant had been disguised as a shareware
program and put into circulation via electronic bulletin boards. This
time, the virus was hidden in the packet SPORT21C.ZIP. According to
the packet's description it contained a program for inspecting the
functioning of the computer's serial- and parallel ports.
The program INSTALL.EXE included in the packet was infected.
Some changes had been made to the original virus - the most
significant difference is that the new variant is capable of infecting both
COM and EXE files, whereas the original virus infects only COMs. The
virus text was also changed to read "Hurray The Crusaders".
None of the Butterfly variants which have so far been discovered
activates in any way.
[Analysis: Mikko Hypponen, F-Secure]