%%File: VIRS0322.TXT
%%Name/Aliases: Dragon
%%Platform: PC/MS-DOS
%%Type: Other: Parasitic file infector, 
%%Disk Location: EXE application.
%%Features: Memory resident; TSR., Stealth, Fast infector type
%%Damage: Corrupts some EXE files which causes system crash, No damage, 
only replicates.
%%Size: Overlays application, no increase
%%See Also: 
%%Notes: 
The following text  extracted from VB March 1995:
This virus non standard method in intercepting and infecting EXE file. 
It hooks Int 13h vector  to control disk access and test for EXE stamp 
'MZ'. The virus needs 400 byte for its code and data. The virus inserts 
itself in EXE header and modifies the header so that control is passed 
to the virus upon the execution. The execution of an infected file will 
trigger the installation routine in system memory. The installation 
routine will allocate 400 bytes at the top of base memory and marks the 
MCB owner filed as 'system' and copies itself at that block. The size, 
location, and stealth technique of this virus makes the virus hard to 
detect as well as allowing for fast infection.

Once the virus is a memory resident, it obtains the DOS Data Table 
pointer using Get List Of List and searches for  Drive Parameter Blocks 
for  both floppy and hard disks drivers. The virus stores the address of 
Strategy and Interrupt handler of any such driver, then it sets its own 
address as the original device driver. Thus, any DOS call to the drivers 
will be passes to the virus, the virus performs its function, then calls 
the original device driver.

The virus code is build on the assumption that most EXE header  have an 
unused space padded with zero up to a maximum of 480 bytes. It designed 
to write itself between offset 0070h and 0200h in the header. When that 
location of the EXE header has other information and instruction, then  
they will be lost upon the infection and the EXE file is corrupted. The 
execution of a corrupt EXE file will cause a system crash.

Note:
Dragon may have problems working under NetWare and in multitasking 
environment.

The removal should be done under clean system conditions. The infected 
files should be identified and replaced. The  Hex Pattern of the virus 
in files and in memory is as follows:
 
        8CC8   2E01   0691   000E   0606   8CC0
        488E   C026   8E1E   0300   83EB   1A07