%%File: VIRS0297.TXT
%%Name/Aliases: Dichotomy, Evil Avatar
%%Platform: PC/MS-DOS
%%Type: Program., 
%%Disk Location: EXE application., COM application.
%%Features: Memory resident; TSR., Polymorphic, Infection method of hard 
disk is different from flop disk
%%Damage: Causes system to hang., Corrupts some EXE file.
%%Size: Polymorphic: each infection different, 2 block, 296 byte and 567 
byte.
%%See Also: 
%%Notes: 
The following notes are extracted from VB:

The name is taken from an internal text string ' [ Dichotomy] (c) 1994 
Evil Avatar  [ Dichotomy] ' in the program.
The virus consists of two block, the  loader block (296 byte) and the 
installation block (567 byte). On hard disk, the two block are copied in 
to two different files. On floppy disk, both blocks are copied into the 
same file, thus insuring the spread of the infection.
On hard disk, the virus appends the loader section to the end of the 
host file and replaces the first 3 bytes with jump instruction to the 
appended virus code. The installation block will be appended to the end 
of a second host file with no changed to the header and the body of this 
host file. The installation block functions  are to install the virus in 
memory and to intercept the Int 21h handler.
On floppy disk, the virus infects host file with both sections, thus an  
infected file contains the whole virus code.

When a file infected with the loader  code is run, the control is passed 
to virus code. The virus code searches for  a predetermined  file 
contains the installation block. When the file is located, the reminder 
of the virus code is loaded to memory.  Now,  virus checks the 
installation code for  an identification word, 445Bh. If the ID is 
positive, then the virus checks to see whether  there is a copy resident 
in memory. If there is a resident copy in the memory ,then control is 
returned to the host file. Otherwise it installs itself in memory. The 
process consists of allocating block of system memory, copying the virus 
code into it, modifying an undocumented Memory Control Block area, and 
hooking the Int 21h. Finally, it restores the host program header and  
returns control to the host program.

After infection, the virus modifies the date and time stamps of the host 
file.For host files infected by the loader section, the seconds value is 
set to 60. For files containing the installation block, the seconds 
value is set to 62. On floppy disk, the seconds value is set to 62,only. 
The virus used this stamp to distinguish between infected and clean 
files only.

Dichotomy has several bugs or missing instructions in the code. The most 
important one is that it infects EXE files as if they were COM files. 
When an infected EXE file is executed, its misidentified as a COM file, 
which causes the system to hang! The second important bug is related  
correct way of checking error flags and file length, and this will 
result in corrupting very short executable files.

The suggested method for disinfection is to use clean system for 
booting. Then identifiy the infected file and remove them. The Hex 
pattern canbe used to scan system memory. The pattern are:
Part1 :  E800   008B    DC8b   2F81   ED03   0044
                 443E   81BE   5203   5B44   B41A   8D96
Part2 :  FEC4   80FC   4C74   32FE   CC80   FC51
                 740C   80FC   6274   052E   FF2E   8C03