This virus infects COM files, EXE files, Master Boot Record of Hard Drive and DOS Boot Records of floppies. This virus deletes c:\windows\system\iosubsys\hsflop.pdr. The purpose of this is to force Windows to use compatibility mode which allows it to infect floppies while windows is active. When run it immediately infects c:\windows\win.com.
This virus reduces the amount of memory by 4K. It hooks Int 13 (low-level disk functions) and Int 1C(Timer) after 10.4 seconds, it hooks Int 21(DOS functions).
It stores the original boot sector on Cylinder 0, Side 0, Sector 2 on hard disks and Cylinder 0, Side 1, Sector 14 on floppy disks. It stores the rest of the virus on Cylinder 0, Side 0, Sectors 3 and 4 on hard disks and Cylinder 0, Side 1, Sectors 12 and 13 on floppy disks. If those sectors are in use, they will be overwritten.
The int 21 handler uses the "Are you there?" call DEADh returning BCBCh. The int 21 handler hooks function 4B(load and execute). It does not check the extension so it is not a bad idea to check all files when cleaning this virus from your computer. It saves the original file attributes and clears them to infect read-only files. It does not infect files starting with FFFFh (SYS files). Before infecting, it hooks Int 24 (error handler). It infects self-checking files with the ENUNS signature.
For EXE files it stores the infection marker TD in the checksum field. It contains the text:
- $BAPHOMETH$' v1 ~CAD! /AVM /CB - ENUNSOct 28 Update
alt.2600.crackz Crackz - Forte Agent 1.5 FAG-K.ZIP alt.cracks,alt.2600.crackz Crackz - WinZip 7.0 KeyGen WINZIP.ZIP alt.cracks,alt.2600.crackz Anawave GRAVITY v2.x KeyGen ME_GRAV2.ZIP alt.2600.crackz,alt.cracks,alt.sex CuteFTP v2.0 Keygen CUTEFTP.ZIPThis variant uses some tricks to make analysis and detection difficult. It also encrypts the original partition table so that the hard drive is not visible to DOS after a clean boot. It contains the encrypted text:
Baphometh v2 ~CAD
[Analysis by Chris Stubbs]