%%File: VIRS0656.TXT %%Name/Aliases: Quicky, Quicksilver.1376, V.1376 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: EXE application. %%Features: Memory resident; TSR., Encrypted %%Damage: Deletes checksum data files. %%Size: 1376 bytes long %%See Also: %%Notes: The following notes are extracted from VB, June 1995: Quicky appeared in UK and Europe. The virus is 1376 bytes long and it infects EXE files. Quicky uses no stealth techniques to hide its present, the increase in file length can be detected immediately. The virus code is poorly written and have many flaws. The writer had attempted to include a destructive routine that could corrupt writes to the hard disk, however, the writer was not successful in his programming so he/she had bypassed that section with a jump. The first action of the code is to decrypt its code.It is decrypted to two halves using a simple byte-swapping XOR routine. It re-modifies its decryption routine and patches its addressing to identify its location in memory. Now, the first error/bug in the code shows up. The virus checks to see if its already a memory resident by calling Int 21h with AX=C000h (a memory resident copy returns AX=76F3h ). This call conflicts with some interrupt calls of ' NetWare' so it may lead to aborting the host program). Next, it checks the continent of register BX for a certain vale. This check is to activate the destructive routine which is currently is bypassed. If the virus is memory resident, then control is returned to the host program. Otherwise it move down to memory, hooks Int 13h and Int 21h, returns control to the host program. The file infection method is somewhat unusual. It looks out for program execution on the system, then it remove read-only attribute, open the file, closes the file immediately, reset the attributes, and lets the program to run. The virus infects the program during the closing process The net effect of this method is that even write- protected files become infected upon their execution ( due to programing error, DOS error messages are displayed when the infection process fails). Quicky has a section that deletes various checksum data files used by anti-virus programs to prevent detection. Again, due programming error, data files are deleted from the current directly only which may not be the same directory that contains the infected program. This error allows the detection of the virus by checksummer after all. The recommended method for disinfection is to use clean system conditions, then identify and replace the infected files. The memory resident copy can be deactivated by calling Int 21h with AX=C001h.