Fandom

Malware Wiki

2up

1,335pages on
this wiki
Add New Page
Comments0 Share

Virus.DOS.2up.6000 or Ugly.6000, is a dangerous memory resident parasitic encrypted stealth virus on DOS.

Behavior

When the virus is loaded into memory, it hooks INT 21h, and writes itself to the beginning of DOS executable or the middle of EXE executable that is run or created.

Before an infection, the virus checks whether the filename contains the following text string:

AID COMMAND ANTI AV HOOK SOS TSAFE -V SCAN NC VC TNT ADINF

If found, the virus ignores the file.

While infecting, the virus creates the file OBJXCREF.COM, writes itself into there, appends the file body, and then renames to the name of the file that it is infecting.

On execution of some infected files, especially EXE executable, the system may crash.

The virus copies into a reserved system area of directory entries with the string:

2UP(C)1994

Payload

When the virus installs itself into memory, it calls INT 21h with AX=F66h, if the value returned by register CX is 4F6Bh, it displays the text:

Hello BOBBY ! (BOBBY-Trash Soft & Hardware)

When a program is run by the time the minute is greater than or equal to 57, and the value of month is an even number (e.g. February, April...), the virus drops the characters from the top of the screen to a selected line randomly, the host program will not run until the payload is done. On running some programs this payload does not occur.

When an system error is generated, the virus displays a video effect with the following message:

+------------------------------------------------+
|   Attention ... No smoking ! Stop Talking !    |
+------------------------------------------------------------------+
|   2(Two) Unlimited Programists presents: 2UP Virus Version 1.0   |
+------------------------------------------------------------------+
|     +-------+     ---     ---  +---------+     |
|     |       |      |       |   |         |     |
|     |       |      |       |   |   2UP   |     |
|     |       |      |       |   |         |     |
|             |  --  |       |   |---------+     | 
|     +-------+      |       |   |               |
|     |              |       |   |               |
|     +--------      +-------+  ---              |
|                                                |
|      We'll turn your life into nightmare       |
+------------------------------------------------+

In some cases it overwrites the files with this message when they are newly created.

Other details

This virus is also known as Ugly.

The virus contains the encrypted internal text strings:

Hullo ! Welcome to 2UP virus. Don`t try so hard!
Hallo Mr.Virusolog,now you decod me !
It's about f*cking time.What do you think about 2UP Virus ?
This Virus Was Designed in 1992-1994 .It Dedicated For Nobody..
I Want To BreakFree ! Right Now
.com.COMobjxcref.com
2UP(C)1994
.EXE.COM

The message above is not censored in the real virus.

References

Analysis of the 2up virus, the report

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.