%%File: VIRS0680.TXT %%Name/Aliases: Satan Bug, SatanBug, Sat_Bug, Satan, S-Bug, Fruit-Fly %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: EXE application., COM application., COMMAND.COM, Program overlay files.?, SYS System files.? %%Features: Memory resident; TSR., Encrypted %%Damage: Corrupts a program or overlay files. %%Size: Polymorphic: each infection different, Files increase 2.9K to 5K %%See Also: Natas %%Notes: The virus is a memory resident, non-stealth, encrypted, mutating, polymorphic virus that infects .COM, .EXE, .SYS, and .OVL files. It hooks the file open and file execute commands and infects programs when they are opened or executed. If Satan Bug is not already in memory, and if COMSPEC is not the first item in the environment (SET) the virus will not load into memory. If the virus is already in memory, this has no effect. If command.com is infected there is no way to make comspec last without having the virus load first. This appears to be how the virus writer protected his own system. To move comspec from the first position, use something like the following at the beginning of your autoexec.bat file: SET TEMP=C:\DOS SET COMSPEC=C:\COMMAND.COM This puts comspec into the second position. Note that if you redefine TEMP, comspec will move back into the first position. The virus addes 100 years to the file's creation date. It probably uses this to check for an infection. You can't see this change with the DIR command, but must use a special utility. NAVCERT created the program CHKDATE to look for this change in the date. Since the program infects .SYS files, network drivers tend to break after infection, making networks inaccessible. Note that I have not been able to get it to infect a .sys file, but it does infect emm386.exe which is usually installed high and could force the other drivers out. Do not run an infected virus scanner on a disk, as it will then infect the whole disk. Encrypted in the file is the text: SATAN BUG virus - Little Loc Locate with: DataPhysician Plus 4.0B, Scan V106, Norton AntiVirus 2.1 with August 1993 virus definitions. Scan v106-109 do not see all infected files.