29A Issue 01 04 01

eZine lover (@eZine)

Published in 

29A

 · 4 years ago

  

 Virus index 
 ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> 
                                                            Mister Sandman 

 Zhengxi.7313 
 ÄÄÄÄÄÄÄÄÄÄÄÄ 
 Author    : Unknown (well, hehe... ;) 
 Origin    : Russia 
 Objectives: EXE (standard, Pascal/C, SFX), OBJ and  LIB. Besides, Zhengxi 
             inserts  COM droppers into ZIP, ARJ, RAR and HA archives with 
             the stored method 
 Hooks     : int 21h  and int 25h, with  redirection and UMB residency; it 
             doesn't go resident under certain conditions 
 Behaviour : full stealth, highly polymorphic (encrypted with two polymor- 
             phic loops), uses a CRC32 generator for every data comparison 
             it makes. It has a trigger  routine, with deletes all the fi- 
             les of all the  drives under certain conditions. This is pro- 
             bably the best virus ever. 

 
 V.6000 
 ÄÄÄÄÄÄ 
 Author    : Unknown 
 Disasm by : Tcp/29A 
 Origin    : Unknown 
 Objectives: EXE, COM, MBR and boot sectors (multipartite) 
 Hooks     : int 8, 13h, 17h, 1ch, 20h, 21h, 25h, 26h, 27h 
 Behaviour : under certain conditions, depending on some internal counters 
             and on  the way it's being executed (under debugger), it era- 
             ses the CMOS and the hard drive sectors. It also stays memory 
             resident  after any kind of reboot thanks to this trick: when 
             it infects MBR, it stores the  drives info from the CMOS, and 
             then  sets these values to zero. When it detects any disk ac- 
             ccess, it restores  the original CMOS on the fly, so the user 
             can't remark  any change. If the user tries to do any kind of 
             boot, as the CMOS values are set to zero, the MBR will recei- 
             ve  the control, and it will restore these values, making po- 
             ssible to boot from the floppy drive as usual. Polymorphic :) 

 
 TS.1423 
 ÄÄÄÄÄÄÄ 
 Author    : Unknown 
 Disasm by : Tcp/29A 
 Origin    : Spain 
 Objectives: COM and EXE files (infects on file closing) 
 Hooks     : int 13h, int 21h 
 Behaviour : its encryption routine  is based  on tracing  code via int 1, 
             fully  antidebugging. It doesn't infect *AN.*. If the year is 
             above 1995, it  will mark clusters as bad, and on fridays, it 
             will change disks writes to verifications. UMB residency. 

 
 Remolino.968 
 ÄÄÄÄÄÄÄÄÄÄÄÄ 
 Author    : Trumpet WinCock 
 Origin    : Spain 
 Objectives: COM and EXE files 
 Hooks     : int 21h 
 Behaviour : a new  infection  way... neither  overwriting, nor appending, 
             nor  prepending, nor ap-pre-pending... guest :) It looks  for 
             some unused  code in their victims big enough to hold the vi- 
             ral code, and if there's enough room for it, it copies itself 
             there  without doing  any change in the file length. It has a 
             payload which displays a whirlscreen effect, which became ra- 
             ther famous (it was even used by NuKE in their zines). 

 
 Torero 
 ÄÄÄÄÄÄ 
 Author    : Mister Sandman/29A 
 Origin    : Spain 
 Objectives: COM files 
 Hooks     : int 13h, int 21h 
 Behaviour : it has two peculiarities: first, it  doesn't store the origi- 
             nal header of the  files it infects into its body, but into a 
             newly  discovered (by AVV and me) zone  of ten free bytes, in 
             the directory  entry of the file. And second, it uses the 8th 
             attribute  bit as infection mark, making the infection checks 
             much more simple, reliable and antiheuristic. 

 
 Internal Overlay 
 ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 
 Author    : Tcp/29A 
 Origin    : Spain 
 Objectives: COM and EXE files 
 Hooks     : int 21h 
 Behaviour : it infects COM and EXE files without modifying their headers, 
             bypassing lots of CRC security  programs which just check the 
             file header. It does this by appending an internal overlay to 
             the file and writing an overlay loader at the entry point. It 
             infects, then, EXE files  with internal  overlays, but NOT if 
             any  of the relocation items is  located in  the entry point, 
             unless this item  is found at offset 7 (it would be a PkLited 
             file) ;) 

 
 Cri-Cri 
 ÄÄÄÄÄÄÄ 
 Author    : Griyo/29A 
 Origin    : Spain 
 Objectives: COM, EXE and floppy drives (multipartite) 
 Hooks     : int 3, 13h, 21h 
 Behaviour : full stealth, as it redirects  reads to  infected sectors and 
             files to  the original ones, highly polymorphic, it won't in- 
             fect files  with  any V in their  name, files with the actual 
             day  date, and  some  AV executables. It has  a payload which 
             display a message on the screen. 

 
 TheBugger 
 ÄÄÄÄÄÄÄÄÄ 
 Author    : The Slug/29A 
 Origin    : Spain 
 Objectives: COM files 
 Hooks     : int 1, 3, 21h, 0cdh, with redirection 
 Behaviour : its peculiarity consists in  that it gets a random number be- 
             tween 2 and 5 (x) and starts tracing its victim until it rea- 
             ches the  call  number 'x' :) and  then infects that call. It 
             uses a new tunneling routine based on an old one (the int 30h 
             trick), bypassing  the AH < 24 limit and finding the original 
             int 21h vector address. Besides, it uses an antilamer install 
             check which detects if the  user is trying to deceive it with 
             one of those  lame programs which just return the virus resi- 
             dency value so the virus doesn't go resident again... TheBug- 
             ger avoids this by doing a  random byte comparison, and if it 
             detects that the user is trying to deceive it, executes a si- 
             mulated HD formatting routine and displays a message. 

 
 Apocalyptic 
 ÄÄÄÄÄÄÄÄÄÄÄ 
 Author    : Wintermute/29A 
 Origin    : Spain 
 Objectives: COM and EXE files 
 Hooks     : int 3 and int 21h, with redirection 
 Behaviour : it's a stealth COM and EXE infector  which  disables TbDriver 
             on every execution; it skips F-Prot's stealth detection engi- 
             ne, and if  the  system  date is  equal to july 26th, it will 
             show all the files in with 29Ah as length. 

 
 AVP-Aids 
 ÄÄÄÄÄÄÄÄ 
 Author    : Tcp/29A 
 Origin    : Spain 
 Objectives: COM files 
 Hooks     : nothing, it's a runtime infector 
 Behaviour : AVP-Aids proves the capabilities to write  and spread viruses 
             using  AVPRO's API functions. It inserts a new viral database 
             into AVP; this database  will make AVP to delete F-Prot, Scan 
             and TbScan when  being scanned. Besides, AVP won't detect any 
             virus, favouring the appeareance of opportunist infections by 
             other viruses. 

 
 AntiCARO 
 ÄÄÄÄÄÄÄÄ 
 Author    : Mister Sandman/29A 
 Origin    : Spain 
 Objectives: COM files 
 Hooks     : int 21h 
 Behaviour : it's just a 'joke' virus to protest against Vesselin Bontchev 
             and the way in which CARO and this sucka name the viruses. As 
             AVP is Bontchev's favourite AV, AntiCARO will modify it so it 
             (AVP) will  detect VLAD's Bizatch  as 'Bizatch_:P' and not as 
             Boza. About the  virus itself, it's just  a TSR COM  infector 
             which uses SFTs for performing its infection routines. 

 
 Galicia Kalidade 
 ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ 
 Author    : Leugim San/29A 
 Origin    : Spain 
 Objectives: WinWord documents 
 Behaviour : it's an encrypted macro infector which hits documents on clo- 
             sing. Besides, it has two peculiarities: it's the tiniest ma- 
             cro infector ever, and  it contains  a trigger routine; if it 
             finds the text chain 'dir a:' in any document, it will delete 
             MSDOS.SYS and IO.SYS, and then display a message box. 

 
 Mister Sandman, 
 bring me a dream.