Classification

Category :

Malware

Type :

Virus

Aliases :

Fichv 2.1

Summary

This encrypted virus contains the text

 ***FICHV 2.1 vous a eu*****.....

When it activates it will overwrite the first 6 sectors of the track 0, head 1 of the current drive. A slightly different version 2.0 is also known, but it is only 896 bytes long.

All but the first 107 bytes of the virus is encrypted with XOR B8h. The encryption key is one of the code bytes, the encryption routine is made to look somewhat like the address of the encryption key is incremented after each byte is dealt with, but is however a constant.

When the file is run, vectors for INT 01h and INT 03h are stored and a decryption routine to decrypt one byte is installed instead to both handlers. The first byte is decrypted with int 3 and the rest of the virus is decrypted with repeated calls to int 1. The first thing done in the encrypted area is to reinstall the original vectors.

Virus fetches the INT 21h vector. If the first byte of the INT 21h segment is 'F' the virus considers itself already installed. If the virus is already installed or if the current program name matches "*COMMAND.*" or if an error occurs during installation, the PSP is copied to 6000:0000h and the original file is run.

During installation the old INT 21h vector is stored in the virus code and the current program name is fetched from the program environment. The current program is shrunk to the virus size and the INT 21h handler installed (first byte of the segment is set to 'F'). Then the program is executed from the disk with interception disabled and the virus exits with INT 21h/AH=31h. The return value passed in AL is not the program return value, but is the return value from the load/exec call. Interrupt vectors are get and set by using DOS calls.

The INT 21h handler intercepts DOS functions 4Bh (load program) and 3Dh (open file). Interception is disabled by passing BP=00FFh. The DTA is stored and changed to cs:0080 during interception.

Infection only takes place if more than 3000 bytes are free on the current drive. A suitable file matching filespec "*.com" in the current directory is selected for infection. The file must be at least 1500 bytes long and the filetime must not have a seconds field of 62 (this is used to flag infected files).

A dummy critical error handler is installed each time a file is to be infected. The old handler is not restored so crashes are likely some time after running infected files.

Date and time are preserved, except the seconds field is set to 62. Whenever the infection routine needs a buffer, it uses 6000:0000h not caring whether any other program is using that area or not. For instance, the virus is copied to this area for encryption.

Infection is done by appending the virucode to the start of the file. The infect routine checks whether the byte at CS:0000 is 'G' when it exits, to determine the exit method. If the virus is installed, it simply tidies up and exits into DOS. If the virus is not installed, the PSP is copied to 6000:0000h and if it is March, a damage routine is invoked. Otherwise a copy routine is copied to 6000:0010 and jumped to. The copy routine copies the first virus_size bytes of the file back to the beginning and jumps indirectly to the program start.

The damage routine copies the text '****FICHV 2.1 vous a eu*' 85 times in succession into the buffer at 6000:0000h. There are 4 more '*' at the end of this text which were probably meant to be included but the author must have miscounted. The text means "FICHV 2.1 got you". The text is written to the first 6 sectors of the first 256 cylinders of the current drive, heads 0 and 1. This loops forever unless the INT 13h write disk command returns an error. If such an error occurs the virus exits into the host program as it would if the damage had not been done.

Variant:Fichv-EXE 1.0

This variant is 897 bytes, and infects EXE files, not COM files.

Variant:Fichv 2.0

An earlier version of the virus.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

N/A