Gingerbread Man Virus


 Virus Name:  Gingerbread Man 
 Aliases:     Bad Seed, Ginger 
 V Status:    Common - Australia 
 Discovered:  March, 1993 
 Symptoms:    .COM & .EXE growth; Master boot sector altered; decrease in 
              available free memory; file date/time seconds = 60 
 Origin:      Australia 
 Eff Length:  2,774 bytes 
 Type Code:   PRatAX - Parasitic Resident .COM, .EXE, & Master Boot Sector 
              Infector 
 Detection Method:  F-Prot, ViruScan, Sweep, AVTK, NAV, 
                    IBMAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, AVTK/N, Sweep/N, NAV/N, IBMAV/N, Innoc, NProt, 
                    LProt 
 Removal Instructions: Delete infected files & replace Master Boot Sector 
 General Comments: 
       The Gingerbread Man, or Bad Seed, virus was discovered in Australia 
       in March, 1993.  Gingerbread Man is a memory resident multi- 
       partite stealth virus which infects .COM and .EXE programs as well 
       as the hard disk partition table.  Its stealthing mechanisms are 
       very advanced, and it is also invisible on infected systems. 
 
       When the first Gingerbread Man infected program is executed, the 
       Gingerbread Man virus will install itself memory resident in 
       allocated low system memory, hooking interrupts 13 and 21.  Total 
       system and available free memory, as indicated by the DOS CHKDSK 
       program, will not be altered.  It will also infect the system hard 
       disk's master boot sector (partition table sector), altering two 
       bytes and then writing a copy of the viral code starting at side 0, 
       cylinder 0, sector 2.  The alteration to the hard disk partition 
       table is hidden when the virus is memory resident as the virus will 
       present an uninfected copy of the partition table whenever it is 
       attempted to be accessed. 
 
       Later, when the system is booted from the system hard disk, the 
       Gingerbread Man virus will become memory resident at the top of 
       system memory, but below the 640K DOS boundary, moving interrupt 
       12's return.  Total system memory, as indicated by the DOS CHKDSK 
       program, will not be altered, though available free memory will 
       have decreased by 3,072 bytes. 
 
       Once the Gingerbread Man virus is memory resident, it will infect 
       .COM and .EXE programs, other than the program pointed to by the 
       COMSPEC environmental variable (usually COMMAND.COM), when they 
       are executed, opened, or copied.  In the case of program copies, 
       both the source and target files will become infected.  Programs 
       infected with the Gingerbread Man virus will have a file length 
       increase of 2,774 bytes with the virus being located at the end 
       of the file.  The file length increase is not visible when the virus 
       is memory resident as the virus hides the increase, as well as 
       disinfects programs whenever they are accessed.  The file's date 
       and time in the DOS disk directory listing will not appear to have 
       been altered, though the file time seconds field will have been set 
       to 60, the infection marker for the virus. 
 
       The following text strings are unencrypted within the viral code, 
       and may be viewed in infected files, and on cylinder 0 of infected 
       hard disks, when the virus is not memory resident: 
 
               "PTT (You can't catch the Gingerbread Man!" 
               "Bad Seed - Made in OZ!" 
               "COMSPEC=" 
               "CHKDSK" 
               "MEM" 
               "10/23/92" 
 
       Since the Gingerbread Man virus is a full stealth virus, disinfecting 
       programs "on the fly", checksumming programs will be unable to detect 
       the virus when it is memory resident.  The virus will also lock up 
       the system keyboard if the virus determines that a debugger is in 
       use. 
 
       Known variant(s) of Gingerbread Man are: 
       Ginger.2691: Received in January, 1995, Ginger.2691 is a 2,691 
               byte variant of the Gingerbread Man virus described above. 
               Its size in memory is approximately 3K, hooking interrupt 
               21.  As with the original virus, Ginger.2691 is a full- 
               stealth virus which infects the system hard disk master 
               boot sector, .COM, and .EXE files.  It adds 2,691 bytes to 
               the .COM and .EXE files it infects, though the file length 
               increase will be hidden when the virus is memory resident. 
               The following text strings can be found within the viral 
               code: 
               "Ptt (You can't catch the Gingerbread Man!!" 
               "Bad Seed - Made in OZ" 
               "COMSPEC= \COMMAND.COM" 
               Origin:  Unknown  January, 1995. 
       Ginger.3183: Received in April, 1995, Ginger.3183 is a 3,183 
               byte variant of the Gingerbread Man virus described above. 
               Its size in memory is approximately 6,464 bytes, hooking 
               interrupts 13, 21, and 22.  As with the original virus, 
               Ginger.3183 is a full-stealth virus which infects the system 
               hard disk master boot sector, .COM, and .EXE files.  This 
               particular virus will also infect .SYS files.  It adds 3,183 
               bytes to files it infects, though the file length increase 
               will be hidden when the virus is memory resident.  The 
               following text strings are usually encrypted within the viral 
               code: 
               "TBSCAN" 
               "WIN" 
               "CHKDSK" 
               "PKZIP" 
               "ARJ" 
               "NDD" 
               "SCANDISK" 
               "LHA" 
               "co nm" 
               "Hemlock by [qark/VLAD] Available OSDATA" 
               Origin:  Australia  April, 1995.

Show viruses from discovered during that infect .

Main Page