Virus Name: XYZ

Aliases: X-AMINE YOUR ZIPPER

V Status: New, Research Viron
Discovery: January, 1994
Symptoms: None - Pure Stealth
Origin: USA
Eff Length: 440 Bytes
Type Code: OReE - Extended HMA Memory Resident Overwriting .EXE Infector
Detection Method: None
Removal Instructions: See Below
General Comments:
The XYZ virus is a HMA memory resident overwriting direct action
infector. The virus is a pure 100% stealth virus with no detectable
symptoms. No file length increase; overwritten .EXE files execute
properly; no interrupts are directly hooked; no change in file date or
time; no change in file attributes; no change in available memory;
INT 12 is not moved; no cross linked files from CHKDSK; when resident
the virus cleans programs on the fly; works with all 80?86 processors;
VSAFE.COM does not detect any changes; Thunder Byte's Heuristic virus
detection does not detect the virus; Windows 3.1's built in warning
about a possible virus does not detect XYZ.
The XYZ virus will only load if DOS=HIGH in the CONFIG.SYS file. The
first time an infected .EXE file is executed, the virus goes memory
resident in the HMA (High Memory Area). The hooking of INT 13 is
accomplished using a tunnelling technique, so memory mapping utilities
will not map it to the virus in memory. It then reloads the infected
.EXE file, cleans it on the fly, then executes it. After the program
has been executed, XYZ will attempt to infect 15 .EXE files in the
current directory.
If the XYZ virus is unable to install in the HMA or clean the infected
.EXE on the fly, the virus will reopen the infected .EXE file, remove
itself, and then write the cleaned code back to the .EXE file. It
then reloads the clean .EXE file and executes it. The virus can not
clean itself on the fly if the disk is compressed with DBLSPACE or
STACKER, so it will clean the infected .EXE file and write it back.
It will also clean itself on an 8086 or 8088 processor.
It will infect an .EXE if it is executed, opened for any reason or
even copied. When an uninfected .EXE is copied, both the source and
destination .EXE file are infected.
The XYZ virus overwrites the .EXE header if it meets certain criteria.
The .EXE file must be less than 62K. The file does not have an
extended .EXE header. The file is not SETVER.EXE. The .EXE header
must be all zeros from offset 72 to offset 512; this is where the XYZ
virus writes it code. The XYZ virus then changes the .EXE header to
a .COM file. Files that are READONLY can also be infected.
The text string "XYZ" and "ZYX" appear in the virus code but are not
displayed.
The XYZ virus has a companion virus that it works with. The GOLD-BUG
virus also goes memory resident in the HMA and reserves space for the
XYZ virus.
To remove the virus from your system, change DOS=HIGH to DOS=LOW in
your CONFIG.SYS file. Reboot the system. Then run each .EXE file
less than 62k. The virus will remove itself from each .EXE program
when it is executed. Or, leave DOS=HIGH in you CONFIG.SYS; execute
an infected .EXE file, then use a tape backup unit to copy all your
files. The files on the tape have had the virus removed from them.
Change DOS=HIGH to DOS=LOW in your CONFIG.SYS file. Reboot the
system. Restore from tape all the files back to your system.