Fandom

Malware Wiki

OlympicAIDS

1,346pages on
this wiki
Add New Page
Comments3 Share
Not to be confused with AIDS or AIDS II.

Virus.DOS.VCL.Olympic.1440, or commonly called OlympicAIDS, is a virus that runs on MS-DOS. It is written by a Swedish virus-writing group Immortal Riot.

Behavior

The OlympicAIDS is a normal .com file infector. The method used by the virus to search for the next file to be infected is not very efficient, though. Once the virus has infected a large number of the files on the hard disk, it might take half a minute for the virus to find a new victim file. Such a slowdown is likely to make the virus easier to spot.

When the virus finds a file to infect, it first checks it's size to make sure the added virus code will not grow the file over the size limit of .com files, 64KB. Then it inspects the first bytes of the candidate file to see if it already contains a similar jump construct that the virus is about to insert to the beginning of file. If such structure is found, the virus considers the file to be already infected and starts to search for another victim.

The virus does not check for the 'MZ' or 'ZM' markers to distinguish .exe files. This means that the virus will corrupt .exe files that have been renamed to have a .COM extension. When such a corrupted file is executed after infection, the virus will be able to spread further, but is unable to transfer control back to the original program. In most cases the machine will just crash.

The actual infection process consists of storing the original first three bytes of the file to the end of the file and replacing them with a jump to a decryption routine, which the virus also appends to the end of the file. An encrypted version of the virus code is also stored to the end of the file, before the decryption routine. The virus uses a single pseudo-random variable key based on the infection time to encrypt it's code.

OlympicAIDS is able to infect files which have the DOS read-only attribute turned on. It will also restore the date and time stamps of the infected files. However, infected files grow in size by 1440 bytes, and this is visible in the directory listing. The virus has no directory-stealth routines, since it does not stay resident.

Payload

The virus activates by random after the 12th of February, that the 1994 Winter Olympics started on this date. At the time of activation, the virus draws the Olympic circles to the screen and displays some comments the Games. After this, it overwrites the first 256 sectors of the first hard disk in system. The virus also disables Ctrl-C and Ctrl-Break during the destruction routine. Finally, the machine is hanged. When an infected file is executed, the virus first decrypts its code. Then it starts to recursively search for suitable victim files, starting from the root directory of the current drive.

Other details

A lot of the code resembles the viruses generated by the VCL virus generator, up to the point of the standard VCL-like note; a short message in the end of the virus, which is not displayed at all. In this virus, the note text reads: "Olympic Aid(s) '94 (c) The Penetrate". This virus is probably based on VCL-created code, and has just been modified to avoid detection by some of the most popular scanners.

Video

Virus.DOS.VCL.Olympic02:05

Virus.DOS.VCL.Olympic.1440

Virus.DOS.VCL.Olympic.1440 on Virtual PC

Virus.DOS08:13

Virus.DOS.OlympicAIDS

Virus.DOS.VCL.Olympic.1440 on Standalone PC

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.