X-Fungus tests residence by issuing and INT 21h, AX=5432h. If the return value is 1004h, virus concludes that it is already resident.
Virus finds a suitable memory block to install itself in by following down the MCB chain and selects the block which is marked as last, or the last block before it exceeds the 640k limit, whichever is found first.
The virus reserves 2 KB by subtracting block size. The PSP next pointer is also adjusted. 1422 bytes of the viruscode is copied to the reserved memory area and execution continues in the copy. INT 21h and INT 08h handlers are installed by directly reading/writing the interrupt table.
The INT 21h handler defines the residence test, and intercepts the following DOS functions to infect files: 4Bh (load program), 43h (get/set attribute), 3Dh (open file), 56h (rename file), 6Ch (extended open/create).
Also DOS functions 1Ah (set DTA) is trapped so the DTA value can be stored (this code assumes that the setDTA call never fails), and functions 11h (FCB find first) and 12h (FCB find next) are trapped to conceal the increase in sizes of infected files. The virus subracts 1422 bytes from the filesizes of all infected files when they are looked at.
The infection routine flags the type of file depending on whether the given filename matches "*COM" or "*EXE" and ignores other files. "EXE" files which name begins with "SC" and COM files which name begins with "CO" are excluded from infection.
If the virus went resident on the 20th of September, the first 5 attempts at infecting files also write a message to the screen and wait 18 timer ticks. The message is 70 bytes long and encrypted with 8-bit NEG. It is reencrypted as soon as it has been used. Here is the message text:
John Bonham - September 20, 1980- L E D Z E P P E L I N -
The 18 timer tick waiting routine is all the INT 08h timer routine does. An dummy critical error handler is installed during infection. This interrupt handler is installed using standard DOS calls.
The file attribute is cleared and restored afterwards. File date/time are preserved, except that 100 years is added to the filedate if infection is successful. This is the way the virus marks files as infected.
The virus code has a lot of jumps all over the place. The code also contains the following text strings, which are not displayed:
*X-Fungus by Harry McBungus* *Nugga!* *Greets SCP* *Greets RABID* * Patricia: Grow some programming knowledge * *Grease me!* *K-Mart in full effect* *Epileptic Downer*
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
N/A