Frogs

This page shows details and results of our analysis on the malware Frogs

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum Engine

5600.1067

File Length

1,500 Bytes

Description Added

1991-03-15

Description Modified

2002-01-22

Malware Proliferation

Characteristics

Frogs is a memory resident, file infecting virus. It infects .COM files, including COMMAND.COM.

Upon infection, this virus becomes memory resident in low, unreserved system memory. Interrupts 09, 20, 21, and 2F are hooked by the virus. At this time, Frogs also infects COMMAND.COM and one other .COM file in the current directory. .COM files are only infected if their original file length was 1,500 or more bytes.

Once memory resident, Frogs infects one .COM file each time an infected file is executed or a DIR command is performed. In either case, long disk accesses is noticeable either when an infected .COM file is executed, or as the DIR command completes.

Additional Comments:
The Frogs, or Frog's Alley, virus was submitted in March, 1991 by David Grant of the United States. This virus is a memory resident infector of .COM files, including COMMAND.COM. When the first program infected with Frogs is executed, this virus will install itself memory resident in low, unreserved system memory. Interrupts 09, 20, 21, and 2F will be hooked by the virus. At this time, Frogs will also infect COMMAND.COM and one other .COM file in the current directory. After becoming memory resident, Frogs will infect one .COM file each time an infected program is executed or a DIR command is performed. In either case, long disk accesses will be noticeable either when an infected .COM program is executed, or as the DIR command completes. .COM files are only infected if their original file length was 1,500 or more bytes. Programs infected with Frogs will have a file size increase of 1,500 bytes, and the file's date and time in the disk directory will have been updated to the system date and time when the infection occurred. The virus will be located at the beginning of infected programs. Frogs activates on the 5th day of any month. When an infected program is executed on the 5th, the following message will be displayed: "(V) AIDS R.2A - Welcome to Frog's Alley !, (c) STPII Laboratory - Jan 1990" This message will again be displayed whenever a DIR command is performed. The first time the message is displayed, the virus will remove the system files and COMMAND.COM from the disk. Other programs will still be accessible until they are also removed, or the virus is no longer in memory. Once the virus is no longer in memory, the disk will display the volume label "s Alley !" and have no files found when a DIR command is performed. The disk's FAT and root directory will have been overwritten with the above message multiple times. Other symptom's of Frogs are long disk access times when executing programs or performing DIR commands, as well as occasional unexpected accesses to the B: disk drive. Some memory intensive applications will hang when Frogs is active in memory. Known variant(s) of Frogs are:

Symptoms

Frogs activates on the 5th day of any month. When an infected file is executed on the 5th, the following message is displayed:

"(V) AIDS R.2A - Welcome to Frog's Alley !, (c) STPII Laboratory - Jan 1990"

This message is also displayed whenever a DIR command is performed. The first time the message is displayed, the virus removes the system files and COMMAND.COM from the disk. Other files are still accessible until they are also removed, or the virus is no longer in memory. Once the virus is no longer in memory, the disk displays the volume label "s Alley !" and have no files found when a DIR command is performed. The disk's File Allocation Table (FAT) and root directory are overwritten with the above message multiple times.

Other symptom's of Frogs are long disk access times when executing files or performing DIR commands, as well as occasional unexpected accesses to the B: disk drive. Some memory intensive applications hang when Frogs is active in memory.

Files infected with Frogs have a file size increase of 1,500 bytes, and the file's date and time in the disk directory have been updated to the system date and time when the infection occurred. The virus is located at the beginning of infected files.

Method of Infection

The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.

Removal

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Additional Windows ME/XP removal considerations


Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Frogs-B