%%File: VIRS0723.TXT %%Name/Aliases: Sticky, Nu_Way ,Multi2, Fist.927 %%Platform: PC/MS-DOS %%Type: Multipartite., %%Disk Location: EXE application., COM application., Hard disk partition table. %%Features: Memory resident; TSR., Encrypted, Infects COM files of 300 - 62000 bytes., All files with SCAN name are exempt from infection. %%Damage: No damage, only replicates. %%Size: 927 bytes long %%See Also: Tequila %%Notes: The following notes are extracted from VB, July 1995: Sticky was found in the Midwest USA. The virus was referred to by virus names, many of the names having the string 'Fist' or 'Scream'. Sticky should not be confused with 'Screaming_Fist' Family, because they differ in functionality and the code does not contain the text 'Screaming_Fist'. Hard disk infection occurs upon the execution of infected file on the system. The virus drops into MBS using Int 13h. Later, when the system is rebooted, the virus become memory resident. It acquires 3k just under the 640k limit (CHKDSK shows the lower amount of memory available ). Now, the memory resident copy is ready to perform its task. The memory resident virus infects COM and EXE files ( Any file with the name SCAN is safe). Infection takes place on any of these commands Open or Exec or Rename, or Change File Mode. The virus uses the standard EXE/COM infection techniques. Sticky identifies itself in MBS, memory , EXE files and COM files. The MBS' ID occupies 18 bytes from offset 1Ah. The memory's ID is a value of 1234h from register. The COM's ID is the 4the byte to be equal the second byte - 1. The EXE files' ID is to set the Initial IP to 1. Sticky does not any payload. No attempt has been make to hide the virus infection in the directory or file. Warning: Sticky infects on Open command. Any scanner that can not detect the virus in memory will spread the virus everywhere. Using an infected PC to scan a server means disaster. When any executable network files are executed, then MBS and Workstations on the network will be infected. The recommended method for MBS disinfection is using a clean boot to start and FDISK/MBR command. Replace infected file by a clean backup copy on clean boot.