%%File: VIRS0122.TXT %%Name/Aliases: Anarchy.9594 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application. %%Features: Memory resident; TSR., Encrypted, Stealth, Polymorphic %%Damage: Decreases system memory by 83 kbytes, When triggered, display message and halt the computer %%Size: Polymorphic: each infection different, 9594 byte long %%See Also: Anarchy.2048 %%Notes: The following notes are extracted from VB Feb. 1995: The virus is not typical: It is about 9 times longer than any typical virus and it decreases system memory by 83 kbyte (1 kbyte is typical ). Thus, it required more time to disassemble. When an infected file is executed, control is passed to the virus code and the virus attempts to infect the system memory. The virus check the DOS version, if its lower than DOS 3.0, then control is returned to the host file. If condition are suitable, then it calls the the undocumented Int 2Fh function (Installation Check function) to ensure the availability of other DOS function. Next, it checks for a memory resident copy of itself using the Int 21h function. If there is an active copy, then control is passed to the host file, otherwise is installs itself in the memory. The virus check the size of system memory and if the its sufficient, then it decreases the memory by 83 kbyte and copies its code to that area. Later, it hooks Int 09h, Int 21h, and Int 28h for its use. The virus use Int 21h function for infection, stealth, and triggering routines. It uses Int 09h and Int 28h for delivering its payload. The virus checks file name and extension. It infects all COM and EXE files with the exception of COMMAND.COM file. Anarchy distinguishes EXE and COM files. It encrypt itself with its own polymorphic routines. The encrypted code is appended to the end of host file, writes JMP VIRUS to the header. The JMP VIRUS code for COM files is different from EXE file. Then, the length of file is adjusted to its original value, thus the file appears unchanged. The virus attaches the text string ' UNFORGIVON' to the end of the file. Finally, it add 100 years to date stamp of the host file. This change in the date stamp and ' UNFORGIVON' are used by the virus to identify infected files and avoid duplication. The memory resident copy keeps a record of all infected file, since it was activated. If the count reaches 48, the virus delivers its payload, which is displaying one of its four messages. The second action of the virus is that it emulates the shell of Norton Commander whenever the Alt_Minus keys are pressed ( Minus key of the numerical keypad only). Note: Files located on remote disks are not infected by the virus. The suggested method for disinfection is to identify and remove all infected files. The file identification is trivial. A clean system should be used for all disinfection process.