Selected viruses, spyware, and other threats: sorted alphabetically
This is a parasitic, resident COM and EXE infector. It attacks files when they are executed, renamed and opened. The virus attacks COM files with length less than 57 KB and EXE files shorter than 384 KB. If the beginning of the file name contains one of the strings ic, no, we, tb, av, f-, sc, co, wi and kr, the file will not be infected. The infected files are marked by setting the value of seconds at the time of file origin to 8. There is a text in the virus body which at certain circumstances appears also in memory.
TMC 1.0 by Ender from Slovakia
Welcome to the Tiny Mutation Compiler! Dis is level 42.
Greetings to virus makers: Dark Avenger, Vyvojar, Hell Angel
Personal greetings: K. K., Dark Punisher
The virus TMC is very interesting from the technical point of view. The virus body in classical sense is not present in an infected file, only compiler together with the source pseudo code of the virus can be found there. When the infected file is executed the compiler creates into memory a new, always different copy of the virus. The virus TMC cannot be captured by common samples. Moreover, the compiler does not contain any suspicious instructions and that is why it is not suspicious for the heuristics. The static source pseudo code of the virus is encoded in the infected file and is decoded gradually at compilation. After being used it is encoded again, but by means of a different key. During compilation jumps may or may not be inserted between specific instructions. As the length of a jump is not known in advance, the virus has to reserve more space for each jump than necessary. As a result a rather frequent incidence of the sequence of three instructions NOP is seen. The virus contains also a smart trap; its goal is to make removal of the virus more complicated. Depending on the generation also properties of compiled virus in memory are modified.
It seems that the author of the virus is a sci-fi literature fan. Ender is a hero from the book “Ender´s game” by O. S. Card. Texts
Welcome to the Tiny Mutation Compiler!
Diz is level 42
may be a paraphrase of texts in the virus EMM:Level_3.
© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.