%%File: VIRS0590.TXT %%Name/Aliases: No_Smoking %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Encrypted, Sends NetWare messages., Files longer than 59860 byte could not be infected. %%Damage: No intentional damage, Very small files are corrupted %%Size: 1575 byte , self-encrypting COM file. %%See Also: %%Notes: 1. The virus is not a memory resident, but leaves part of its own Int 21h in the memory as means of infecting more files. 2. On infection, it intercepts Int 21h and Int 24h to call trigger routines and to prevent DOS error messages. 3. Upon the execution of an infected file, control is passed to the virus decryption routine ( the virus encrypts itself twice, thus two decryption routines are required). Using Int 21h and Int 24h, the infection routine is called which scans the directory to locate 5 uninfected COM files. It writes the body of the virus at the end of the file and modifies file entry point to JMP instruction to the starting location of the virus code. 4. The virus checks for file length and somehow it does not check the length properly. This shortcoming on the virus part causes the corruption of very small files and the very large files are exempted from infection ( more than 59860 byte). 5. The trigger routine is activated on Novell NetWare stations, only. The trigger routine is called when there is an Int 24h call on infection. Upon activation, the first step is to obtain the sever name to which the infected stations connected using "GET FILE SERVER INFORMATION" function. The name of the server that was used at login will returned to virus. Second, the virus finds out the number of user connected to the server using "GET FILE SERVER INFORMATION", and obtains the hosting computer number using "GET CONNECTION NUMBER, Int 21h, AH=DCh". Third, it randomly selects two connected computers on the network, gets their names and addresses via "GET CONNECTION INFORMATION". Finally, the virus generates the phrase "NAME: Text" where NAME is the name of the network of the first selected computer. Text is a string that is send to the second selected computer. The text string is " Friday I'm in LOVE!" or "No Smoking, please! Thanks.". Receiving this type of message does not rise any suspicion, since it has the appearance of a joke making its way over the network. Eventually, the message will be received by all users and people will be alarmed to the situation. 6. The virus corrupts those EXE file with COM extension such as the compression of COM files with certain versions of DIET. 7. The recommended method for disinfection is to Re-Boot from write- protected system diskette. Identify and replace the infected file, which should be easy, knowing the type being COM and virus adds 1575 byte to any infected file.