%%File: VIRS0349.TXT %%Name/Aliases: Emma %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Memory resident; TSR., Hides in EMS (expanded memory blocks). %%Damage: No damage, only replicates., Unknown yet. %%Size: 427 byte long., Appending parasitic COM file infector. %%See Also: %%Notes: Emma is 427 byte long. It is appended to COM files with a JMP instruction at the start of the infected COM file. The infection process of EMS starts with the executing an infected file. The JMP passes control to the virus code, which test system memory for an active copy of itself. If an active copy is found then the control is returned to the host program; otherwise the virus attempts to install itself into system memory using Int 67h handler. The first step is to determine whether the EMS driver is loaded. If no driver is found, then control is returned to host file and system memory is not infected. If an EMS driver is found, then the virus obtains the number of unallocated pages. Control is passed to the host file when no free pages are found. Otherwise, the virus finds the EMS frame segment address and stores it. Then, it allocates one EMS page and makes it available for its use. Then it copies itself into that frame and unmaps the page. Now, the virus is stored in EMS memory. The rest of the installation routines are : 1) to copy the virus' Int 21h into the Interrupt Vector Table at address 0024:0000h which is the same address as the virus ID word. 2) to hook Int 21h. Finally, control is returned to the host program. Files are infected when they are executed on an infected system memory. The main code of the virus takes control over the file. First, it makes sure that the DOS function is Load_and_Execute. If so then it allows the original the process to complete, then the virus attempts to infect the file. It opens the file and read the header, if the first instruction is a JMP instruction, it calculates the offset. If the jump is 430 byte from the end file, then it assumes that the file is infected and control is returned to the calling function. If the header is not JMP instruction, then the virus checks for EXE and COM stamps. If the file is and EXE type, then the infection routine is aborted, otherwise it appends its body to the end file and modified the header to JMP VIRUS instruction, then it returns control to the calling code. Detection and removal of the virus should be easy. Emma writes it ID word 2E9CH at the address 0024:0000h of the system memory and its Int 21h code are inserted in the Interrupt Vector Table. Virus scanner should detect these changes without scanning EMS memory. The virus is removed from memory by removing the EMS driver from CONFIG.SYS, next rebooting the computer. Infected files can be identified and removed under clean system condition.