Satan Bug does not have any destructive effects.
This virus only infects files with the following characteristics:
The infected files grow 4 or 5 Bytes in size, as the virus copies its code to them.
Satan Bug has the following infection routine:
- It checks if it is already memory resident by calling the undocumented function F9h of the interruption 21h, expecting it to return the value ACOAh.
- It goes memory resident and uses up 9 Kbytes of the available memory.
- It captures four operating system services:
Service 4Bh: This is used by the virus to infect the programs run on the computer.
Service 3Dh: This is used by the virus to infect all the files opened on the computer.
Service 6Ch: This is an open file service used by the virus to check if the file is being created. This service first appeared on MS DOS, from its versio 4.x.
Service F9h: The virus uses this service to check whether it is already memory resident or not.
- From then on, the virus will infect all the executable files that have certain characteristics.
In addition, Satan Bug is a polymorphic virus. This virus has a large amount of junk mnemonic numbers (CMD, CLC, STI, NOP, etc). This polymorphic component makes it difficult for antivirus programs to detect it.
Means of transmission
Satan Bug does not use any specific means to spread. It can reach computers through any of the usual means used by viruses: floppy disks, CD-ROMs, e-mail messages with infected attachments, Internet downloads, FTP, etc.
Other interesting characteristics of Satan Bug are:
- It includes the following two messages in its code: SatanBug virus - Little Loc and COMSPEC=COMMAND.COM.
The virus creator seems to be the same person that created the virus Natas, which does not have any destructive effects but may produce errors in the files with an EXE extension or overlays (OVL), when they are run.