%%File: VIRS0093.TXT %%Name/Aliases: 2UP %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application. %%Features: Memory resident; TSR., Encrypted, Stealth, Written in Assembler %%Damage: Corrupts a data file., Displays messages. , Drops letters on the screen %%Size: A 6000 byte long, parasitic virus program., Also, takes 18 kbyte from memory %%See Also: %%Notes: The following notes are extracted from VB, April 1995: 2UP virus has appeared in Russia. It is 6 kbyte long, and it is written in Assembler language. 2UP infects EXE and COM files. Execution of an infected file transmits the virus to the system memory. The decryption routine takes control from the host program, it restore the virus body to its original form, then it passes control to the installation routine. The installation routine checks for a memory- resident copy. If it fails to identify itself in memory, then the virus starts to install itself. It allocates 18 kbyte of memory for its use and hooks to Int 22h handler which is Program Termination Address, then it returns control to the host program. After the program termination, the virus moves itself to the system memory employing Int 22h. The virus infects EXE and COM files. In the case of COM files, it writes itself in front of the host file. In the case of EXE file, the virus inserts itself between the header and body of the host file and it modifies the header so that control is passed to the virus code. 2UP modifies the directory sector on disk, it writes its ID stamp in the file directory entry. The stamping is accomplished by writing the string ' 2UP(C)1994' into the reserved field of the directory entry. This is used to prevent multiple infection. In addition, the virus uses a second test for self-recognition, it compares the file beginning with 15 bytes of the virus code. When new files are created on the system, the memory-resident copy checks their names before infecting them. The name is check against the text string ' AID COMMAND ANTI AV HOOK SOS TSAFE -V SCAN NC ' to avoid infecting any of the anti-virus programs, COMMAND.COM, etc. 2UP has several payloads and the payload may be delivered as soon as the virus gets control. While 2UP installs itself into the system memory, it calls Int 21h with AX=F66h, if register CX returns a value of 4F6Bh, then the following message is displayed: Hello BOBBY ! (BOBBY-Trash Soft & Hardware ) Also, the virus has several video effect messages. One video effect is triggered by the occurrence of an error ; It selects a line on the screen randomly and character will be raised from their places and dropped back to place. The second video effect is triggered under certain condition by either the execution of an anti-virus program or opening a file. This video effect covers the whole screen with 2UP and test strings related to virus. The proper conditions for this video effect are even--number months and the current second of 58 or 59. Sometimes the virus overwrites newly created files with the second video message. The recommended method for disinfection is to use clean system conditions, then identify and replace the infected files.