Selected viruses, spyware, and other threats: sorted alphabetically
Tequila is a resident, multi-partite, stealth and polymorphic virus. When an infected program is executed the hard disk’s MBR is attacked; the original MBR contents and the rest of the virus body are moved to the last six sectors of the active partition. The virus simultaneously decreases the size of that partition by six sectors. By that these sectors are protected against incidental overwriting. After attacking MBR the virus returns control to the attacked program. The virus is installed into memory only after activation from MBR. The virus takes 3 KB in the memory. In redirects the interrupts INT 13h, INT 21h and INT 1Ch services. INT 13h service ensures stealth upon approaching the original MBR. With the INT 1Ch the virus checks whether DOS has already been loaded, and if it was, the virus returns the interrupt service back to the system. The INT 21h service ensures attacking of EXE files upon their execution. Further on it conceals increase in the length of files, which have the value of seconds at the time of the last file modification set to a nonsensical value of 62. The virus does not attack files containing characters “SC” and “V” in their name as well as those having in the EXE header, in the position of check sum, two bytes existing in the file in position representing virus decryptor. At least three months from infection, if there is a concord of the sequence number of the day in month with the day of infection, after executing of every 4th program the following text appears in the left top corner of the screen on the background of a colourful fractal:
Execute: mov ax, FE03 / INT 21. Key to go on!
If the requested instructions are executed the virus writes the following text on the screen:
Welcome to T.TEQUILA's latest production. Contact T.TEQUILA/P.o.Box 543/6312 St'hausen/Switzerland. Loving thoughts to L.I.N.D.A BEER and TEQUILA forever !
Tequila was created in the year 1991 and, unlike with many other viruses, its authors are known.
© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.