OS2.AEP ======= is a harmless nonmemory resident parasitic NewEXE (OS/2) virus. It searches for EXE and DLL files, checks them for an NE stamp, then checks the OS/2 marker in the NewEXE header. Next, the virus obtains the number of the code segment that is the entry point segment, shifts down all other segments, then increases the length of the entry point segment, and writes its code there. Then the virus fixes the relocation and name tables and returns the control to the host program. Clean File Infected File +----------------+ +----------------+ ÝMZ DOS Header Ý ÝMZ DOS Header Ý Ý----------------Ý Ý----------------Ý ÝNE NewEXE HeaderÝ ÝNE NewEXE HeaderÝ Ý----------------Ý Ý----------------Ý ÝSystem Tables ÝentryÝ ÝSystem Tables Ý Ý----------------ÝpointÝ Ý----------------Ý ÝSeg 1 Ý<----+ ÝSeg 1 Ý<--+ Ý Ý Ý Ý Ý Ý----------------Ý --+ Ý- - - - - - - - Ý<---- entry point ÝSeg 2 Ý Ý ÝVirus Ý Ý Ý----------------Ý Ý Ý Ý---+ returns to original . . . +--> Ý----------------Ý entry point Ý----------------Ý ÝSeg 2 Ý ÝSeg n Ý Ý----------------Ý +----------------+ --+ . . . Ý Ý----------------Ý Ý ÝSeg n Ý +--> +----------------+ This is the first known virus that affects OS/2 files in the "right way" - it writes itself to the file and modifies the NewEXE header and other system areas. While infecting a file, the virus uses the system calls: DosAllocSeg DosFreeSeg DosChgFilePtr DosClose DosFindFirst DosFindNext DosOpen DosRead DosWrite The virus contains the text strings: (C) 1995 American Eagle Publications Inc., All rights reserved. *.EXE *.DLL DOSCALLS OS2.Jiskefet ========== It is a harmless nonmemory resident parasitic virus. It searches for NewEXE (LX) files, reads 2048 (800h) bytes from the file beginning, writes that data to the end of the file, and then writes itself to 2048 bytes of the file header. Then the virus creates a temporary file, copies the host file there, disinfects and executes that file. Then the virus returns control to the system. While searching and infecting the files, the virus uses OS/2 calls: DosExit DosChgFilePtr DosClose DosDelete DosFindClose DosFindFirst DosFindNext DosNewSize DosOpen DosGetEnv DosRead DosWrite DosExecPgm The virus contains the text strings: Jiskefet DOSCALLS *.EXE MK OS2.MyName =========== This is a very dangerous, non-memory resident overwriting OS/2 virus. It is the first known virus infecting OS/2 executable files. Upon execution, it obtains the name of the host file, reads its code from there, then searches for NewEXE (LX) files and overwrites them. While infecting a file, the virus uses OS/2 calls: DosExit DosClose DosFindFirst DosFindNext DosOpen DosGetEnv DosRead DosWrite and displays the messages: My name is --> infected The virus also contains the text string: VIRUS DOSCALLS *.EXE