     Bye, (Bye_by_C&C)
     
                    - C.A.R.O. Analysis | Bye virus -


Name.............: Bye
Aliases..........: Bye_by_C&C
Targets..........: MBR, FBR
Resident.........: TOP
Memory_Size......: 1K
Storage_Size.....: 3K
Where............: FBR: Last two physical sectors
                   MBR: ActivePartition.Last_two_sectors
                   Original MBR/FBR is saved on last sector.
Stealth..........: 13h/02h
Polymorphic......: None
Armouring........: None
Tunneling........: It hooks INT 13h on bootstrap
Infectivity......: 6
Obviousness......: Slightly
Commonness.......: ITALY(3)
Commonness_Date..: 1995/18/11
Transient_Damage.: It displays a message on screen and hangs the PC
T_Damage_Trigger.: INT 1Ah (RTC Time I/O) AH = 4 -> DH == 5 && (DL & 2 !=0)
Permanent_Damage.: None
P_Damage_Trigger.: None
Side_Effects.....: Virus hides itself on disk subtracting last two sectors.
                   MBR[ActivePartition + 0Ch].DWORD -= 2
                   DBR[TotalSectors].WORD/DWORD -= 2
                   FBR[TotalSectors].WORD -= 2
Infection_Trigger: FBR: INT 13h -> AH == 2 && CX == 1 && DH == 0
                   MBR: On bootstrap by an infected floppy
Msg_Displayed....: "Bye by C&C"; Encrypted
Msg_Not_Displayed: None
Interrupts_Hooked: 13h/02h
Selfrec_In_Memory: None
Selfrec_On_Disk..: BootSector[65h].WORD = B902h
Limitations......: None
Comments.........: The Bye virus has a bug which hinders the correct
                   execution of the T_Damage_Trigger routine. Maybe when the
                   virus writer tested the virus by a debugger is likely
                   that he placed a INT 03 instruction (Breakpoint),
                   overwriting the original code.
Analysis_By......: Paolo Monti - I.C.A.R.O.
Documentation_By.: Paolo Monti - I.C.A.R.O.
Entry_Date.......: 1995/18/11
Last_Modified....: 1995/18/11
See_Also.........: None
End..............:

   
     &copy; Copyright 1995 Paolo Monti - All Rights reserved.
     GV221195
