%%File: VIRS0515.TXT %%Name/Aliases: Little Red, Little.Red, Mao %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application. %%Features: Memory resident; TSR., Semi-Stealth , Infecting process results in slowing down the computer %%Damage: Audio messages under certain conditions. %%Size: 1465 bytes long. %%See Also: %%Notes: The following are extracted from the VB, July 1995: The Little.Red virus is written to commemorate the Chinese leader " Mao-Tse Tung ". It deliver its payload on Sep. 9 and Dec. 26 on any year larger 1994. On Dec. 26 ( Mao's birthday), It plays the Chinese tune ' Liu Yang River ' , this river runs through the Hunan province or Mao's birthplace. On Sept. 9 (the death date of Mao-Tse Tung ), it plays the Chinese tune 'The East is Red'. The virus body is appended to the COM and EXE files and the file beginning is modified according to file type. Both infected EXE and COM are capable of infecting the memory and they are functionally the same. However, the memory resident copy resides in different location in memory. Little.Red's ID in memory is the BL register returns a value of 5Bh. In EXE file, the Initial IP is equal to 693. In COM file, the first byte is JMP, then a mathematical operation is performed on 2nd and 3rd byte, if the result equals to the contents of 4th and 5th byte, then the COM file is infected. The installation method in memory is done in the usual way. Suppose an infected COM file is executed, control is passed to the virus code which checks for its ID in memory. If no resident copy is found, then it decrypts the code, executes installation routines, re-encrypts the code and returns control to the host file. The installation routine use DOS call Int 21h, function 4Ah ( Resize Memory Block) to shrink memory by 6Dh paragraphs and copy itself into that space at the end of the memory block. The last part of the procedure is to hook Int 21h, Int 1Ch, and attempt to infect COMMAND.COM file( not successful ). The resident copy of the virus hooks several subfunctions of Int 21h for its use, they are: AH = 11h , AH = 12h, AH = 30h, and AX = 4B00h. The virus is rather eager to infect as many files as possible when DIR command is issued, however, the draw back is that the machine becomes very slow when there many clean EXE and COM file in the directory. This sluggishness is also accompanied by disk clanking and it gives a clue to the presence of the virus. As it was mentioned above, Little.Red does not carry any destructive payload. However, the continuous music could be irritating and nerve racking to some people. The recommended method for disinfection is to use clean system conditions, then identify and replace the infected files.