Selected viruses, spyware, and other threats: sorted alphabetically
This is a polymorphic resident COM and EXE infector with implemented semi stealth. When an infected file is executed the virus is finding out, by means of calling INT 21h and register AX=6969h, whether it has already been installed in memory. If there is at the return no value 696Ah in the AX register the virus will reserve 18384 memory bytes, it will mark it as system memory, move into it and redirect the INT 21h support to its own code. Then, it will check the system time. If the number of minutes equals thirty and the number of seconds is maximum 15 it will create file VIRUS.COM in the disc C root directory. This file contains the standard EICAR file for testing anti-virus programs. Most programs respond to this innocent file as if it was infected by an actual virus. Soon, the virus presents itself by a graphic effect – it displays a rotating message
The virus infects suitable files when they are executed. It always sets its own support INT 24h. It avoids attacking the file COMMAND.COM as well as files containing strings TB, VI, AV, NA, VS, FI, F-, FV, IV, DR, SC, GU and CO in their name. It attacks files of COM type only in case if their length is between 1000 and 56999 bytes. With the DOS command DIR it will insert the virus dropper – the file README.COM – into one half of files compressed by PKZIP program. The dropper creates an infected graphic program telling about various BSSes. The virus chooses from three variants. In the virus droppers one of the following text strings can always be found:
Downloaded From http://www.narkotic.com/~vico
Da BeSt BoaRd In SPaiN: El GriLLo Loco (34-1-352 24 45)
ROADKILL BBS *Call now 028-6621590
The virus modifies the file ANTIVIR.DAT of the anti-virus system TBAV containing data on programs identity in a way preventing to recognize the infected file. The virus contains also other text strings in its body but those are not displayed:
IDEA virus (c) Spanska 98 Tnx to Rajaat (poly), F Mirza (IDEA), Wild Worker (zip), Solar D (road)
The virus uses triple coding. The outer layer is polymorphic; the middle one represents a cyclic decoder. To decode this layer the virus uses “rough force attack“, i.e. it tries all possible combinations. The last layer represents symmetric cipher IDEA (we can some across it for example in PGP). Only after decoding the body the virus implements its complete dirty activity.
© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.