Threat Description

X-Fungus

Details

Aliases:Fungus
Category:Malware
Type:Virus
Platform: W32

Summary



X-Fungus tests residence by issuing and INT 21h, AX=5432h. If the return value is 1004h, virus concludes that it is already resident.

Virus finds a suitable memory block to install itself in by following down the MCB chain and selects the block which is marked as last, or the last block before it exceeds the 640k limit, whichever is found first.

The virus reserves 2 KB by subtracting block size. The PSP next pointer is also adjusted. 1422 bytes of the viruscode is copied to the reserved memory area and execution continues in the copy. INT 21h and INT 08h handlers are installed by directly reading/writing the interrupt table.

The INT 21h handler defines the residence test, and intercepts the following DOS functions to infect files: 4Bh (load program), 43h (get/set attribute), 3Dh (open file), 56h (rename file), 6Ch (extended open/create).

Also DOS functions 1Ah (set DTA) is trapped so the DTA value can be stored (this code assumes that the setDTA call never fails), and functions 11h (FCB find first) and 12h (FCB find next) are trapped to conceal the increase in sizes of infected files. The virus subracts 1422 bytes from the filesizes of all infected files when they are looked at.

The infection routine flags the type of file depending on whether the given filename matches "*COM" or "*EXE" and ignores other files. "EXE" files which name begins with "SC" and COM files which name begins with "CO" are excluded from infection.

If the virus went resident on the 20th of September, the first 5 attempts at infecting files also write a message to the screen and wait 18 timer ticks. The message is 70 bytes long and encrypted with 8-bit NEG. It is reencrypted as soon as it has been used. Here is the message text:

John Bonham - September 20, 1980
  - L E DZ E P P E L I N -

The 18 timer tick waiting routine is all the INT 08h timer routine does. An dummy critical error handler is installed during infection. This interrupt handler is installed using standard DOS calls.

The file attribute is cleared and restored afterwards. File date/time are preserved, except that 100 years is added to the filedate if infection is successful. This is the way the virus marks files as infected.

The virus code has a lot of jumps all over the place. The code also contains the following text strings, which are not displayed:

*X-Fungus by Harry McBungus*
 *Nugga!*
 *Greets SCP*
 *Greets RABID*
 * Patricia: Grow some programming knowledge *
 *Grease me!*
 *K-Mart in full effect*
 *Epileptic Downer*


Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More