Date: 5 Nov 89 15:01:02 GMT (Sun) From: Alan Solomon Dr Alan Solomon Day voice: +44 494 791900 S&S Anti Virus Group Eve voice: +44 494 724201 Water Meadow Fax: +44 494 791602 Germain Street, BBS: +44 494 724946 Chesham, Fido node: 254/29 Bucks, HP5 1LP Usenet: drsolly@ibmpcug.co.uk England Gold: 83:JNL246 CIX, CONNECT drsolly There has been a number of people recently calling for information about some of the newer viruses, like Ogre, and Dark Avenger. What follows are excerpts from the manual of a commercial product; it's OK for me to post this, as I wrote it and have the copyright! I shan't mention the name of the product, but I must apologise that the pages of the manual do refer to various components of the product. Where it refers to Findvirus, please take this as meaning any virus scanning program that knows about the virus in question; when it refers to Peeka, please take this as meaning any disk sector editor. The paragraph numbers are the chapter numbers in the manual. I've taken the liberty of calling Ross Greenberg's discovery Fumble instead of Typo, as there is already a Typo in the literature, and we don't want two viruses with the same name. Sorry, Ross. If anyone finds any errors or significant omissions in these descriptions, please respond via email or fax to me directly. Finally, could I please lay one myth to rest. Datacrime (called Columbus day in the US) does the low level format on October 13th and every day thereafter until December 31st. It does this in versions 1168, 1280 (infective lengths) and Datacrime II. It does NOT do anything on October 12th, and Datacrime II does NOT go off on Jan 1 to Oct 12th. Datacrime II refrains from the format on Mondays. The whole October 12th thing was caused by a misunderstanding about dates, picked up by the media and turned into a factoid. The other important thing about Datacrime, is that it is extremely uncommon indeed. We have had no (zero, nil) cases in the UK, and I know of only two cases in Holland. Does anyone know of any *confirmed*, definite, sightings? Apart from Fridrik's self inflicted accident, of course :-) 4.18 Ogre Other names - Computer Ogre, Disk Killer Infects - the boot sector of any writable diskette or hard disk. Classification - Boot sector virus. 4.18.1 Recognition and detection If the virus triggers (see below) then recognition is easy. Another method of recognising it is the 8k of memory lost (so a 640k machine will show 647168 bytes of memory instead of 655360 bytes). A third way is if you look at the boot sector using Peeka, it will be full of program code, without the usual messages like "Not a system disk.". You can detect infected diskettes by running Chkdsk (which comes with Dos). If you get 3k of bad sectors on a 360k diskette, that's a sign of Ogre (Brain and Ashar give the same), as FORMAT marks an entire track (5k on a 360k diskette) as bad if it finds a defect. Likewise on other sizes of diskette; one track is the minimum that should be marked as bad, except of course for zero bad. You can also use FindVirus from the Toolkit to detect Ogre. On a hard disk, Ogre doesn't use bad sectors, so can't be detected that way. 4.18.2 How the virus copies itself When you boot from an infected diskette, the virus goes memory resident; this is true whether the diskette is a boot disk or not. So the usual thing is for someone to have an infected data diskette, which they leave in drive A when they shut down. Next day when they start up the computer, it attempts to boot from that diskette; if it isn't a system diskette, you see the message "Not a system disk. Please insert a system disk and retry." or a similar message. If that diskette was infected, the virus is now in memory, and when you continue the boot, it remains there. While it is in memory, any disk that you access is liable to be infected. If you access the diskette (whether read or write) and the diskette is write enabled then Ogre will replace the boot sector with its own code, move the boot sector further up the disk, add the rest of the Ogre code, and mark these sectors as bad in the FAT. But there is a bug (or perhaps it is deliberate) in the virus; instead of marking the sectors it has used as bad, it marks a different group. Ogre also infects hard disks. 4.18.3 What the virus does If you leave your computer on for 48 hours, and access the hard disk during the following hour, the virus triggers. It clears the screen, and puts up "Disk Killer -- Version 1.00 by COMPUTER OGRE 04/01/1989" in black characters on a white background. Then in yellow on green, it says "Warning !!", and two line down "Don't turn off the power or remove the diskette while Disk Killer is Processing!". Then in bright red, and blinking, on black, it says "PROCESSING". By the time you see that and react to it, it will be too late, as the disk will be inaccessible. You might decide to switch off in spite of what Ogre has told you, but even if you do, the disk will have been made unreadable by then, and your best course will be to re-initialise the disk and restore the latest backups. 4.18.4 How to get rid of it Boot from a clean Dos disk; this is a Dos diskette that has come from the manufacturer, and has never been write enabled. This ensures that there is nothing unwanted that is installed in memory. Use Findvirus to determine which diskettes are infected. Treatment consists of simply copying all the files off an infected diskette (using "COPY *.*"; do not use Diskcopy or any image copier), and reformatting the diskette (see below for details). Remember that Ogre might have written itself onto one (or more) of the files. This would not make the file infectious, but would mean that if it were a program, it would not run, and if it were data, the data would be corrupted. If a large number of diskettes are potentially infected, then you should consider borrowing our hopper-fed diskette cleaning machine, which can handle up to 700 diskettes per hour, sorting them into clean and contaminated bins. If you have a major outbreak of Ogre on a large site, then while you clear it up, you should use Inoculate on all diskettes. This works by putting the Ogre signature (just two harmless bytes) on the boot sector of the diskette. If Ogre sees that signature, it thinks that the diskette is already infected, so doesn't attack it. This means that if you use a moving line method to clear out Ogre, you can't have a re-infection following the demarcation line. In the case of a hard disk, you could use a disk sector editor. Find the original boot sector (it will be in the bad sectors) and copy it back to the place where it should be, at Logical Sector Number zero. I would recommend that you take a full backup before doing this, as if you get it wrong, you could make your disk inaccessible. An alternative, and much easier method, is as follows. First boot from a clean Dos disk. Then make two backups of the hard disk (the second backup is in case you find that you have a problem restoring the first backup). With most versions of Dos, SYS will replace the boot sector, and you can use Findvirus to check that this has worked. This leaves the body of the Ogre code in between the partition and the boot sector, but since there is nothing to load it in, it is perfectly harmless. If in spite of that, you wish to get rid of it, then the simplest way is a low level format of the hard disk. 4.18.5 Other information It was first sighted in the US, but we have also had a case in Ealing near London. Floppy disks are not infected correctly, and Ogre can write its code into a file on the diskette, not using the bad sectors that it creates. Ogre is more infectious than Italian virus, as it can infect 80286 and 80386 machines, which Italian cannot. 4.18.6 Technical details If the computer is left on for 48 hours, and not accessed during the next hour, then the trigger is deferred for 255 hours, at which point a disk access will have the same effect. In order to do this, it hooks interrupt 8, the timer tick. To copy itself onto other diskettes, Ogre goes memory resident at boot up, occupying 8k of memory at the top of memory, and changing the byte 413h to reflect 8k less than the computer has. It hooks interrupt 13h, and attempts to infect on read accesses to a disk. When Ogre infects a hard disk, it writes the code into the sectors immediately preceding the boot sector. 4.19 Typo Other names - None Infects - the boot sector of any writable diskette or hard disk except 80286 or 80386 machines. Classification - Boot sector virus. 4.19.1 Recognition and detection If you look at the boot sector using Peeka or Norton, it will be full of program code, without the usual messages like "Not a system disk.". You can detect infected diskettes by running Chkdsk (which comes with Dos). If you get 1k of bad sectors, that's a good sign of Typo (or Italian virus), as FORMAT marks an entire track (5k on a 360k diskette) as bad if it finds a defect. You can also use FindVirus from the Toolkit to detect Typo. 4.19.2 How the virus copies itself When you boot from an infected diskette, the virus goes memory resident; this is true whether the diskette is a boot disk or not. So the usual thing is for someone to have an infected data diskette, which they leave in drive A when they shut down. Next day when they start up the computer, it attempts to boot from that diskette; if it isn't a system diskette, you see the message "Not a system disk. Please insert a system disk and retry." or a similar message. If that diskette was infected, the virus is now in memory, and when you continue the boot, it remains there. While it is in memory, any disk that you access is liable to be infected. If you access the diskette (whether read or write) and the diskette is write enabled then Typo will replace the boot sector with its own code, move the boot sector further up the disk, add the rest of the Typo code, and mark these sectors as bad in the FAT. Typo also infects hard disks. 4.19.3 What the virus does It installs a routine that replaces the normal printer handler routine. It sets a counter to 50, and decrements it each time a character is printed (unless it is an escape, in which case it increases it by five). When the counter reaches zero, it does a typo. A typo consists of a character substitution from the following: 18CKGJMNOU36VW27ckgjmnou49vw So 1 is substituted for 8 and vice versa, C for K and so on. It also does a substitution on some of the high order bytes: 80h,92h,9ah,88h,97h,8bh,85h,8fh This is more meaningful when the Hebrew character set is used. 4.19.4 How to get rid of it Boot from a clean Dos disk; this is a Dos diskette that has come from the manufacturer, and has never been write enabled. This ensures that there is nothing unwanted that is installed in memory. Use Findvirus to determine which diskettes are infected. Treatment consists of simply copying all the files off an infected diskette (using "COPY *.*"; do not use Diskcopy or any image copier), and reformatting the diskette (see below for details). Alternatively, you can use UnVirus (part of the Toolkit) to remove the infection from a diskette; UnVirus is a lot faster. If a large number of diskettes are potentially infected, then you should consider borrowing our hopper-fed diskette cleaning machine, which can handle up to 700 diskettes per hour, sorting them into clean and contaminated bins. If you have an outbreak of Typo, then while you clear it up, you should use Inoculate on all diskettes. This works by putting the Typo signature (just two harmless bytes) on the boot sector of the diskette. If Typo sees that signature, it thinks that the diskette is already infected, so doesn't attack it. You cannot inoculate against Italian and Typo on the same diskette, as they use different signatures in the same place. In the case of a hard disk, you could use a disk sector editor. Find the original boot sector (it will be in the bad sectors) and copy it back to the place where it should be, at Logical Sector Number zero. I would recommend that you take a full backup before doing this, as if you get it wrong, you could make your disk inaccessible. You could then patch the FAT to mark the bad sectors as usable. We have not provided a utility to do this, as there are so many different layouts of hard disk to cope with. An alternative, and much easier method, is as follows. First boot from a clean Dos disk. Then make two backups of the hard disk (the second backup is in case you find that you have a problem restoring the first backup). With most versions of Dos, SYS will replace the boot sector, and you can use Findvirus to check that this has worked, but this still leaves you with the 2k in bad sectors; this is now quite harmless, and can be ignored. Alternatively, you can format the hard disk, using "FORMAT /S/V" and restore the backup; this has the advantage of reclaiming the fake bad sectors. 4.19.5 Other information It was first sighted in Israel. It is based on Italian virus, and the infective code is very similar indeed. This is a very insidious virus. Printers often give problems, and so do printer cables. A lot of time will be wasted trying to fix a hardware fault before the virus is discovered. Likewise, a lot of genuine printer problems will be blamed on this virus. 4.19.6 Technical details Like Italian, Typo does not work on 80286 and 80386 machines; if you boot from an infected floppy, the machine hangs. 4.22 Dark Avenger Infects - any non-tiny COM or EXE file on any writable Dos device. Classification - Indirect Action File virus 4.22.1 Recognition and detection COM files grow by 1800 bytes, EXE files by a similar amount, subject to rounding up to a multiple of 16. Probably the likeliest give away for this virus is the way it tries very hard to write to write protected diskettes, although there is no "Abort, Retry, Ignore?" message. 4.22.2 How the virus copies itself It is an Indirect Action File Virus. When you run an infected COM or EXE file, it goes memory resident. Thereafter, a number of actions can trigger an infection. The virus makes files read/write and resets the attribute after infection. It also preserves the date and time of files. It only infects files if they are larger than about 1800 bytes. If you copy a file, the source and target are both infected. If you read a file, it is infected, so if a program looks at all the files on a disk, that will infect all the files. If you change the attribute of a file, that will infect it. Loading and executing a file infects it, just like Jerusalem (1813) virus. Because of all these infection mechanisms, it is a very infectious virus. 4.22.3 What the virus does It writes a sector that starts "Eddie lives...somewhere in time!" to a random sector on the hard disk, at intervals. This sector might not land on anything, or it might overwrite part of a program or some data. The damage done is therefore quite subtle. 4.22.4 How to get rid of it Boot from a clean Dos disk; this is a Dos diskette that has come from the manufacturer, and has never been write enabled. This ensures that Dark Avenger is not installed in memory. You can then remove Dark Avenger by using Findvirus to search for all instances of the virus. Every infected file that you find, you can delete, and copy a good file in its place. Run Findvirus again when you are finished, to make sure that all instances have been found. If you want to replace the boot sector with a clean copy, you can take a full backup, and then use SYS C: to do this. Finally, you should install ChkVirus on all machines that are potentially infectable, to provide an early warning of a recurrence of this or another virus. 4.22.5 Other information There is a message that says "This program was written in the city of Sofia (C) 1988-89 Dark Avenger". There is also a string "Diana P." - neither of these strings are used. The virus only works on Dos 3 and above. 4.22.6 Technical details This virus does an end run around the disk interrupts. So any program that checks to see if anything is using interrupt 13h or 40h will be fooled. To do this, it attempts to replace interrupts 13h (disk and diskette) and 40h (diskette). It also replaces interrupt 24h (critical error) with its own, to suppress the "Abort, Retry, Ignore?" message when it tries to infect a write-protected disk. This doesn't work properly, and you can get a number of these messages if diskettes are write-protected. In spite of carefully doing the end run round 13h and 40h, it does not attempt to avoid using interrupt 26h to write to the disk, so any TSR monitoring program that hooks that interrupt, will stand a chance of spotting it. It also replaces interrupt 27h (terminate and stay resident) with its own version that doesn't let other programs use this method to go TSR, and replaces interrupt 21h. It also traps the Dos calls to get or set interrupt 21h and 27h, and if any program tries to do this, it pretends that it has been done, but doesn't do it. It uses the boot sector to store data; every time an infected program is run, it increments a counter which is the last byte of the OEM label on the boot (byte 0ah), and zeros the four most significant bits. When this byte is zero (every 16th time), it adds 40h to the word at offset 8 on the boot. If the word at offset 8 is less than the number of sectors on the volume, it writes a sector that starts "Eddie lives...somewhere in time!" to the sector that it has calculated on the disk. 4.23 Vacsina Infects - any non-tiny COM or EXE file on any writable Dos device. Classification - Indirect Action File virus 4.23.1 Recognition and detection EXE files are converted to COM files, and in the process, they grow by a hundred bytes or so (132 is typical). The conversion is only done to files less than 63k, as COM files cannot be larger than that. The conversion is done to the file format, but not to the file name, so there is no filename change. COM files are infected, growing them by 1207 to 1213 bytes. Only files that are 1206 bytes or larger are infected. When a COM file is infected, the computer beeps. The file's date is not preserved - that's the most likely way that this virus will be spotted. When it infects a file, it accesses drive A, even if the infected program doesn't. 4.23.2 How the virus copies itself It is an Indirect Action File Virus. When you run an infected COM or EXE file, it goes memory resident. Thereafter, any time you load a COM or EXE file, that file is infected. Readonly files are set to read/write and it then resets the attribute after infection. EXE files are infected in two stages - first the conversion to COM, and then the COM infection. EXE files are not in themselves infectious though - only COM files contain the code that goes memory resident. 4.23.3 What the virus does There is no payload to this virus, other than the beep when it infects a COM file. 4.23.4 How to get rid of it Boot from a clean Dos disk; this is a Dos diskette that has come from the manufacturer, and has never been write enabled. This ensures that Vacsina is not installed in memory. You can then remove Vacsina by using Findvirus to search for all instances of the virus. Every infected file that you find, you can delete, and copy a good file in its place. Run Findvirus again when you are finished, to make sure that all instances have been found. Finally, you should install ChkVirus on all machines that are potentially infectable, to provide an early warning of a recurrence of this or another virus. 4.23.5 Other information The virus is named after the string VACSINA that is found in each copy of it. But it isn't clear how this virus could be considered a vaccinator in any sense. 4.23.6 Technical details The string VACSINA is a file name, of a file that it looks for on drive A. If it finds it, it opens the file using an FCB call (interrupt 21h, function 0fh. The file is left open as it does the infection, and when the infection terminates normally, the file is closed using an FCB call interrupt 21h, function 10h. I cannot see the purpose of this call, unless it was something to do with debugging. The virus author makes extensive use of the Dos function 45h, duplicate a file handle. This is done for error handling, and is not a feature of any other virus so far. 4.24 Mix1 Infects - any non-tiny EXE file on any writable Dos device. Classification - Indirect Action File virus 4.24.1 Recognition and detection This is a virus with a lot of interesting effects, any of which might be noticed. The most obvious is the garbling of serial and parallel port information; the garble is quite noticeable. In late generation infections (see below for details) the virus displays a bouncing ball, the lower case letter "o", which bounces off the sides of the screen like a ping pong ball. It is not deflected by letters on the screen (unlike Italian virus) but does replace letters that it passes over. the bouncing ball display comes up 60 minutes after the virus goes memory resident. Also in late generation infections, after 50 minutes the keyboard handler is replaced, with a routine that always turns off Caps Lock, and always switches Num Lock on. Also, if you reboot at that time, it triggers the video display. The virus doesn't disable the "Abort, Retry, Ignore" message, so that if it tries to infect a write protected diskette, it gives that message. Only EXE files are infected, and they grow by 1620 or so bytes. Files are not infected unless they are greater than 8192 bytes. 4.24.2 How the virus copies itself It is an Indirect Action File Virus. When you run an infected EXE file, it goes memory resident. Thereafter, any time you load an EXE file, that file is infected. Readonly files are set to read/write and it then resets the attribute after infection. The memory resident part of the virus is in high conventional memory, consuming 2048 bytes. 4.24.3 What the virus does The main effect is the garbling of the parallel and serial ports, which will affect modems and printers. It uses a simple table; here is the translation for letters (numbers are unaffected). abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ becomes ebsdapghejklmnufqrctovwxyz BECDAPGHYJKLMNUFQRSTOVWXIZ So, for example, Bad command or file name becomes Eed summend ur pela nema 4.24.4 How to get rid of it Boot from a clean Dos disk; this is a Dos diskette that has come from the manufacturer, and has never been write enabled. This ensures that Mix1 is not installed in memory. You can then remove Mix1 by using Findvirus to search for all instances of the virus. Every infected file that you find, you can delete, and copy a good file in its place. Run Findvirus again when you are finished, to make sure that all instances have been found. If the outbreak is on a large site, you can use Inoculate to prevent a re-infestation as you clean up. Finally, you should install ChkVirus on all machines that are potentially infectable, to provide an early warning of a recurrence of this or another virus. 4.24.5 Other information This virus is modelled after the Icelandic viruses, but the virus author has put everything that he can think of into the payload. It was first detected in Israel in August 1989. 4.24.6 Technical details There is a counter in the virus, which counts the number of infections since the virus went memory resident, and this counter is written out to each infected file. If the counter is greater than 5, then when such a late generation instance of the virus goes TSR, it replaces the timer tick (int 8) and the keyboard handler (int 9), as well as int 14h (serial) and int 17h (parallel). It is the replacement of int 8 and 9 that eventually trigger the bouncing o display, the caps lock and num lock twiddling, and the reboot display. This doesn't work properly, and on a CGA, just triggers typical CGA snow. To go memory resident, the virus uses Memory Control Blocks directly, instead of using the Dos interrupts to do so. 4.25 Fumble Infects - any COM file on any writable Dos device. Classification - Direct Action File virus 4.25.1 Recognition and detection This virus makes you seem to hit the wrong key, but only rarely. COM files grow by 867 bytes. The virus doesn't disable the "Abort, Retry, Ignore" message, so that if it tries to infect a write protected diskette, it gives that message. However, it does preserve date/time, and the file's attribute (it temporarily sets it to read/write in order to infect it). 4.25.2 How the virus copies itself It is an Direct Action File Virus. When you run an infected COM file, it infects every other uninfected COM file in that subdirectory. It detects whether a file is infected or not, by looking for the characters "V1" immediately after the original infected program. On odd days (the first, third, fifth etc of each month) it does not infect. 4.25.3 What the virus does The virus replaces the keyboard handler, interrupt 16h. If it is in place, it occasionally replaces the key that is typed, with the key immediately to the right (actually, it is a bit more complicated than this - see below). 4.25.4 How to get rid of it Boot from a clean Dos disk; this is a Dos diskette that has come from the manufacturer, and has never been write enabled. This ensures that Fumble is not installed in memory. You can then remove Fumble by using Findvirus to search for all instances of the virus. Every infected file that you find, you can delete, and copy a good file in its place. Run Findvirus again when you are finished, to make sure that all instances have been found. Finally, you should install ChkVirus on all machines that are potentially infectable, to provide an early warning of a recurrence of this or another virus. 4.25.5 Other information This virus has only ever been found on one site. 4.25.6 Technical details The virus defines a new function for interrupt 16h, function 0ddh. If interrupt 16h is called with that in the AH register, then it returns with 0ddh in the AL register. The virus uses this to determine whether it is already installed. The fumble table used is: `12345687790-=\~!@#$%^&*()_+|qwertyuiop[][asdfghjkl;' zxcvbnm,./QWERTYUIOP{}ASDFGHJKL:";ZXCVBNM<>?. The way the table is used is, each letter is replaced by the letter on the right. The fumble only activates if you type at better than six characters per second (approximately 60 wpm). If you type at that speed, after not using the keyboard for five seconds, you get a fumble. There is code in the virus that should gradually decrease that five second gap, but it doesn't work correctly. 4.26 Dbase Infects - any COM file on any writable Dos device. Classification - Indirect Action File virus 4.26.1 Recognition and detection COM files grow by 1864 bytes, and 1884 bytes are subtracted from the top of conventional memory, which would be shown up by Chkdsk or Checkmem (in the Toolkit). The virus doesn't disable the "Abort, Retry, Ignore" message, so that if it tries to infect a write protected diskette, it gives that message. However, it does preserve date/time, and the file's attribute (it temporarily sets it to read/write in order to infect it). .DBF files are garbled (see below for details). The virus creates a hidden file in the root directory called C:\BUGS.DAT. The way you are most likely to detect this virus is if you copy a file with the extension DBF to an uninfected computer, and then you find that a database that is fine on the infected computer, is garbled on the clean one. 4.26.2 How the virus copies itself It is an Indirect Action File Virus. When you run an infected COM file, part of the virus goes memory resident. Then, when you run another COM program, it infects that from the memory resident part. 4.26.3 What the virus does It intercepts the Dos functions to create, open, read, write and close a file. If the file does not have the DBF extension, it ignores it (DBF is a common extension for database files). If it does have a DBF extension, it garbles it. The garble is very simple - it just interchanges pairs of bytes; it is equally easy to ungarble a garbled file, by writing a program that swaps pairs of bytes back again. We have written such a program, and it available free of charge to any registered user of the Anti-Virus Toolkit that has been affected by this virus. It isn't on the Toolkit diskette, as the virus has only ever been seen on one site. The virus creates a hidden file C:\BUGS.DAT that contains the list of garbled files. If you create a .DBF file (whether you start up a new database, or copy a file, or make a backup to a file with this name) three months after the BUGS.DAT file is created, then a damage routine is triggered. The same thing happens if the system date is three months before the date of BUGS.DAT. The first thing to say is that the damage routine doesn't actually work. This is because of a bug in it. But if it had worked, it would have written garbage over the first 256 sectors on the hard disk, overwriting the boot, both copies of the File Allocation Table, and the whole directory. It does this to every device attached to the computer, starting at device D, and working up to device Z. On most computers, there is no drive D, and the system will just hang, with no damage done. On networks, the direct write to the device will be disallowed by the network software. So the only time this routine will work, is if there is a local drive D. 4.26.4 How to get rid of it Boot from a clean Dos disk; this is a Dos diskette that has come from the manufacturer, and has never been write enabled. This ensures that Dbase is not installed in memory. You can then remove Dbase by using Findvirus to search for all instances of the virus. Every infected file that you find, you can delete, and copy a good file in its place. Run Findvirus again when you are finished, to make sure that all instances have been found. Finally, you should install ChkVirus on all machines that are potentially infectable, to provide an early warning of a recurrence of this or another virus. 4.26.5 Other information This virus has only ever been found on one site. It seems to be targetted, as it only attacks .DBF files. 4.26.6 Technical details To determine whether the virus is already memory resident, it puts 0fb0ah in the AX register, and calls interrupt 21h. If the interrupt returns with 0afbh in the AX register, then the virus was already installed. The virus traps dos interrupt 21h, functions 6ch (Dos 4 create file extended), 5bh (create new file), 3ch (create file), 3dh (open file), 3fh (read file), 40h (write to file) and 3eh (close file). It also traps 4bh, and uses this as the trigger to infect a file.