McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Changsha

• Changsha.A

Characteristics

Changsha.3072 is a memory resident, multi-partite virus. It infects .COM and .EXE files, including COMMAND.COM. It also infects the system hard disk Master Boot Record (MBR) and diskette boot sectors.

Upon infection, the Changsha.3072 virus becomes memory resident as a low system memory Terminate-and-Stay Resident (TSR) of 3,392 bytes. It hooks interrupts 08, 13, and 21. Also at this time, it infects the hard disk MBR.

Once the Changsha.3072 virus is memory resident, it infects .COM and .EXE files as they are executed or opened.

It is not known what Changsha.3072 does besides replicate.

Additional Comments:
The Changsha virus was submitted in December, 1992. It is originally from China. Changsha is a memory resident infector of .COM and .EXE programs, including COMMAND.COM. It also infects the system hard disk master boot sector (partition table). When the first Changsha infected program is executed, the Changsha virus will install itself memory resident as a low system memory TSR of 3,392 bytes, hooking interrupts 08, 13, and 21. Also at this time, it will infect the hard disk master boot sector if it was not previously infected. Once the Changsha virus is memory resident, it will infect .COM and .EXE programs when they are executed or opened for any reason. Infected .COM programs will have a file length increase of 3,072 bytes. Infected .EXE programs will have a file length increase of 3,091 to 3,104 bytes. In both cases, the virus will be located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings can be found within the viral code in all Changsha infected programs: "Welcome!" "Auto-Copy Deluxe R3.0" "(C)Copyright 1991. Mr. YaQi. Changsha China" "No one can Beyond me!" "Invalid Partition Table" "Error Loading Operating System" "Missing Operating System" "New Century of Computer Now!" It is unknown what Changsha does besides replicate.

Symptoms

The following text strings are found within the viral code in all Changsha.3072 infected files:

"Welcome!"
"Auto-Copy Deluxe R3.0"
"(C)Copyright 1991.Mr.YaQi.Changsha China"
"No one can Beyond me!"
"Invalid Partition Table"
"Error Loading Operating System"
"Missing Operating System"
"New Century of Computer Now!"

Infected .COM files have a file length increase of 3,072 bytes. infected .EXE files have a file length increase of 3,091 to 3,104 bytes. In both cases, the virus is located at the end of the file. The file's date and time in the DOS disk directory listing are not altered.

Method of Infection

Multi-partite viruses have two main routes of infection; either as a Master Boot Record/Boot Sector Virus or as a File Infecting Virus.

Most infections occur when a computer attempts to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred.

Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

The second route of infection is by receiving an infected file through a multitude of sources including: floppy diskettes, downloads through an online service, network, modem connections, etc. Once the infected file is executed, the virus may activate.

Removal

-

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Changsha

• Changsha.A

Characteristics

Characteristics -

Changsha.3072 is a memory resident, multi-partite virus. It infects .COM and .EXE files, including COMMAND.COM. It also infects the system hard disk Master Boot Record (MBR) and diskette boot sectors.

Upon infection, the Changsha.3072 virus becomes memory resident as a low system memory Terminate-and-Stay Resident (TSR) of 3,392 bytes. It hooks interrupts 08, 13, and 21. Also at this time, it infects the hard disk MBR.

Once the Changsha.3072 virus is memory resident, it infects .COM and .EXE files as they are executed or opened.

It is not known what Changsha.3072 does besides replicate.

Additional Comments:
The Changsha virus was submitted in December, 1992. It is originally from China. Changsha is a memory resident infector of .COM and .EXE programs, including COMMAND.COM. It also infects the system hard disk master boot sector (partition table). When the first Changsha infected program is executed, the Changsha virus will install itself memory resident as a low system memory TSR of 3,392 bytes, hooking interrupts 08, 13, and 21. Also at this time, it will infect the hard disk master boot sector if it was not previously infected. Once the Changsha virus is memory resident, it will infect .COM and .EXE programs when they are executed or opened for any reason. Infected .COM programs will have a file length increase of 3,072 bytes. Infected .EXE programs will have a file length increase of 3,091 to 3,104 bytes. In both cases, the virus will be located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings can be found within the viral code in all Changsha infected programs: "Welcome!" "Auto-Copy Deluxe R3.0" "(C)Copyright 1991. Mr. YaQi. Changsha China" "No one can Beyond me!" "Invalid Partition Table" "Error Loading Operating System" "Missing Operating System" "New Century of Computer Now!" It is unknown what Changsha does besides replicate.

Symptoms

Symptoms -

The following text strings are found within the viral code in all Changsha.3072 infected files:

"Welcome!"
"Auto-Copy Deluxe R3.0"
"(C)Copyright 1991.Mr.YaQi.Changsha China"
"No one can Beyond me!"
"Invalid Partition Table"
"Error Loading Operating System"
"Missing Operating System"
"New Century of Computer Now!"

Infected .COM files have a file length increase of 3,072 bytes. infected .EXE files have a file length increase of 3,091 to 3,104 bytes. In both cases, the virus is located at the end of the file. The file's date and time in the DOS disk directory listing are not altered.

Method of Infection

Method of Infection -

Multi-partite viruses have two main routes of infection; either as a Master Boot Record/Boot Sector Virus or as a File Infecting Virus.

Most infections occur when a computer attempts to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred.

Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

The second route of infection is by receiving an infected file through a multitude of sources including: floppy diskettes, downloads through an online service, network, modem connections, etc. Once the infected file is executed, the virus may activate.

Removal -

Removal -

-

Variants

Variants -

N/A