Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Tremor

This virus was spread in the year 1993 by means of the TV station PRO7 which was broadcasting computer programs on the background of TV signal. Naturally, for copying them a special decoder was required. Tremor is a polymorphic, parasitic COM and EXE infector using stealth technology. For spreading it requires DOS 3.30 and higher. The virus increases length of files on the disk by 4000 bytes. This change is not visible if the virus is not in memory. It marks files by adding 100 to the year of file origin. The virus recognizes itself in memory by introducing a new DOS function; when calling it with register AX=0F1A9h it expects on return in register AX the value 0CADEh. If it is not in memory it installs itself into it; when doing so it attempts to use memory in UMB first. In case there is not sufficient space in UMB the virus will use memory below the 640 KB boundary. It tries to deactivate resident anti-virus programs CPAV/MSAV. It will use vectors of the interrupts INT 21h and INT 15h for its operation. The INT 21h vector does tunnelling in the step regime of processor. When a file is opened Tremor leaves it and attacks it again when it is being closed. If the program CHKDSK is used while the virus is in memory, errors are reported at infected files {physical length of infected file on the disk does not correspondent with its length as reported by the system controlled by the virus}. Three months after infection the virus Tremor presents itself by shaking the screen. Upon pressing the key DEL together with at least one of the keys CTRL or ALT the virus erases the screen and writes the following text on a black background:

-=> T.R.E.M.O.R. was done by NEUROBRASHER/ May-June '92, Germany <=-
-MOMENT-OF-TERROR-IS-BEGINNING-OF-LIFE-

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.