-----
Analysis done by Thomas Geiger, Germany
Additional analysis done by ROSE Softwareentwicklung, Ralph Roth
-----

Name      : UPS.1155 (UPS ist Hier)
Virus     : NEW!
Strain    : VCL?
Origin    : Unknown, found by Thomas Geiger, +49-7742-6282, Germany
            Probably Germany, Baden Wrttemberg
Date of D.: 12-31-1995
Detection : First detected using a Dummy- File.
            Detected by *Heuristic* Scan of F-PROT 2.21
            Not detected by McAfee SCAN 2.2.8
            Not detected by TBAV 6.50
            Detected by VSP 11.19 using *Heuristic* Scan
Length    : 1155 Bytes
Infects   : ONLY *.COM, not including COMMAND.COM
            Infects files when infected file is executed by DOS. Finds new
            .COMs and infects it. (More than 10 .COM Files in a directory)
            Uses dot-dot infection routine to infect all files in the C:
            directory and up!
            Can get past System/Hidden/Read-Only-Attributes.
            Does not change time of infected File.
            Antiheuristic Programming
            Checks System Time
            Non-Overwriting Virus, attaches itself to end of File.
            Direct action infector, appending. Not memory resident
            Uses normal Assembler Jump (JMP NEAR) to go to Virus-Routine.
            Relocator (call +0), 286+ Code?
            Encrypting/Decrypting

            Contains the following strings:
                !\ oH iTs X-MAS /!
                *.COM ..
                \ThE_UpS-IsT_HiEr/

            Has a nice graphical payload. Check the UPSDEMO.COM file for it!
            Payload is activated before control is passed to the hostfile,
            if current time, hundredths of seconds = 66. PC will then hang.

String    : E837006A0A??00B00233D2E8D901FF840801E81000B440B98004BA030103D6CD

Scanner   : VSP 11.20.b can detect UPS. K-UPS & VSP 11.21 detect and
            remove this virus.

-----

This program can only handle filenames with at least 255 chars length
(including paths). If you have longer filenames (Win 95/Win-NT supports
IMHO only 255 chars) you have to map your paths.

Under Novell Netware this is a easy job, just take a look at MAP.EXE

-----



(C)opyright 1987-97 (ALL RIGHTS RESERVED!)

            Ŀ
             ROSE Softwareentwicklung       
             Dipl.-Ing. (FH) Ralph Roth     
             Finkenweg 24                   
                                            
             D 78658 Zimmern o. R.          
                                            
             FAX/AB:  +49.741-32647         
            
              

    EMail:        Ralph_Roth@p2.f2101.n246.z2.fidonet.org
    Fido:         2:246/2101.2


Type Bits/KeyID    Date       User ID
pub   512/CC3742A5 1995/02/08 Dipl.-Ing. (FH) Ralph Roth, Fido: 2:246/2101.2

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQBNAi847YIAAAECANEe8vGPyKnR0bVoMO9vEu0hD+pMItDzLSvxqWF8W8YWzZ3U
AdhzfNDKL9uEo6BY/jHAF3m8vi5T//pgOsw3QqUABRG0HVJhbHBoIFJvdGggPHJh
ckBmaC1hbGJzaWcuZGU+iQBVAwUQMvEC1v/6YDrMN0KlAQGq1AH9GOZnCI5VSJK6
EJGPK8UwYnzIhN3YGg1uBBCzsrMnPucB8J8GnaYxfA/r9bBsjfUYPkhI9s0XumAt
ScbHr68TxrQuRGlwbC4tSW5nLiAoRkgpIFJhbHBoIFJvdGgsIEZpZG86IDI6MjQ2
LzIxMDEuMokAVQMFEDL45u+ZiMHovEmyvQEBZScB/iWIEez/0zVa4e0lYQjgy82i
TBemfNnm3ABzr9e9iqbO5Vg0Ne2FxquawIo6Nl4wvzD1oyuGl6PDo592M5+41CiJ
AFUDBRAyxov///pgOsw3QqUBAbEhAf9cIvlfV0oTQ7tZ58V/xlVfY7YoCdHpjbif
bBw8sdUZLhpueAEZKEUOO2BVMFnP4toA8CgDS27gSYowQRrk/3DD
=sAec
-----END PGP PUBLIC KEY BLOCK-----

-----
