-----------------------------------------------------------------------------
 WildList Notes - (c)1995 Joe Wells - c1jwells@watson.ibm - wildlist@aol.com
-----------------------------------------------------------------------------

Virus Name:  V-Sign

Aliases:     Cansu, Sigalet

Infects:     MBR on first two hard drives. DOS boot sector on floppy disks.

Disk Size:   2 sector (plus 38 bytes).

Location:    The virus collects 38 bytes from the MBR or floppy boot 
             sector, stores them in its body, and inserts 38 bytes that 
             load the rest of the virus. On the hard drives, the two 
             sectors of virus code are stored on physical sectors 4 and 5 
             of cylinder 0, head 0. On floppies, the virus accurately
             calculates the last two sectors in the root directory on the 
             standard diskette formats (except 1.44m, see Bugs below) and 
             places its code therein.

Memory Size: The virus reserves 2k of memory by reducing the available
             memory word at 40:13. On a 640k system the value will be 
             changed from 280h to 27Eh. Chkdsk will report 653312 bytes 
             (638k) of memory free.

Location:    In 2k reserved at top of conventional memory.

Special:     The virus is considered polymorphic in that the 38 bytes 
             stored in the MBR or boot sector are variable. The virus 
             tries to detect and remove the Stoned virus (see bugs below).

Effects:     A large red "V" on a black background appears and the system 
             hangs.

Trigger:     Based on a counted incremented during floppy infections.

Messages:    [none]

Bugs:        The virus miscalculates where to place its code on 1.44m 
             floppies. This can result in data loss. The virus fails in 
             its attempt to detect the Stoned virus in memory, but can 
             successfully remove it from floppies.

Origin:      Turkey.

Notes:       The virus contains a routine to randomize the 38 loader bytes 
             it places in the host MBR or boot sector. The randomization 
             results in one of six different code sequences. Since there 
             is a set number of sequences, some have classed this virus as 
             oligomorphic rather than polymorphic. However, oligomorphism, 
             according to the CARO definition, usually means a virus that 
             has a set group of sequences and picks one to use. But, V-Sign 
             actually generates the different sequences. This tends more
             towards the definition for polymorphism. In either case, it 
             can be detected with a simple wildcard signature.
