Glue.4000
Details
Glue.4000.a
It is a very dangerous memory resident multipartite virus. It writes itself to the end of .COM and .EXE files and to the MBR of the hard drive and boot sectors of floppy disks. The virus is encrypted in files. While accessing to infected disk sectors the virus calls its stealth routine.
When an infected file is executed, the virus hooks INT 21h and stays memory resident. It then infects the files that are executed or opened. Before infecting a file, the virus infects current disk (MBR in case of hard drive, or boot sector in case of floppy disk). While infecting a disk the virus overwrites the boot or MBR sector, then writes its code and original boot/MBR sector to the disk sectors that are then marked as bad ones. Reinfection of disks and files is possible. In some cases the virus corrupts the floppy disk boot sector while infecting. The virus also has other bugs and may halt the system while infecting a file.
On FindFirst/Next DOS calls the virus calls its stealth routine and shows decreased length of infected files. When BACKUP.COM or CHKDSK.COM utilities are run, the virus disables that routine.
While loading from infected disk the virus hooks INT 13h, waits for DOS loading process, then hooks INT 21h and INT 9 (keyboard). INT 9 handler contains a counter and increases it on any keystroke. When this counter reaches 10000, the virus starts to disable writing to disk (INT 13h) without any error message or return code. That will corrupt the files while writing to them.
The variants of this virus contain the text strings:
“Glue.4000.a”:
COMEXEBACKUP.COMCHKDSK.COM
The Digital Glue (C) 1990,1991 by Eastern Digital
1900 Timi$oara
THE END
“Glue.4000.b”:
COMEXEBACKUP.COMCHKDSK.COM
Lipici (C) 1991 by Eastern Digital
1900 Timi$oara
Related Posts