Copy Link
Add to Bookmark
Report
29A Issue 03 02 14
. . . . .
.:: .:.. .. .:.::. :.:.
<<-=ÜÛÛÛÛÛÜ.ÜÛÛÛÛÛÜ.ÜÛÛÛÛÛÜ==<
.:ÛÛÛ ÛÛÛ:ÛÛÛ ÛÛÛ.ÛÛÛ ÛÛÛ::.
:: .ÜÜÜÛÛß.ßÛÛÛÛÛÛ:ÛÛÛÛÛÛÛ .:.
.:..ÛÛÛÜÜÜÜ.ÜÜÜÜÛÛÛ.ÛÛÛ ÛÛÛ.::.:
.:>===ÛÛÛÛÛÛÛ:ÛÛÛÛÛÛß.ÛÛÛ ÛÛÛ==->> .
..: ::. . .:..Laboratories .:.. :.. ::..
ANTIVIRUS PATHETISM
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
A history about Ithaqua and technical services sucking big cock
by Wintermute/29A
Û Introduction
This article was made due to a test made by the most important spanish
magazine, PcActual, with my colaboration: this magazine, makes an annual
comparison among antiviruses, using thousands of virii for it; this time the
article is released on january 1999 mag by the journalists called Antonio
Ropero and Bernardo Quintero.
The idea is that this year there was going to be a different test apart
from the detection and cleaning ones. The magazine talked with me so we
could make an interesting test; a test about the technical support services
of the antivirus companies.
So, Ithaqua was sent to most AV companies; that is AVP, F-Prot/F-Secure,
Thunderbyte, Panda, DrSolomon, Norton, Sophos and Nai. The results can't
be more pathetic from all points of view, and that is what I'm highlighting
in this article.
Û What did you send ? Make me a briefing on Ithaqua
The file sent by the magazine was infected with a bit of... hum, bad
intentionality :). It was infected by using the inserting infection of
Ithaqua virus in COM files: so, as the jmp_to_virus is introduced randomly
inside the COM code if you for example executed it in dos>=7.0, the virus
didn't execute. I remember there was needed another condition, but I dunno
remember mwahaha ;P
So, this was sent to the AVs listed before, and the mag tested how much
time did they take to make a response, clean it, etc. They of course didn't
say they were a magazine, but a poor user who found the snowing effect from
Ithaqua on his little brother's 386 ( which has problems with the bios stack,
so that it can have a 29th april date ;-)) ).
And first of all, a brief technical description from Panda Antivirus:
=== Cut ===
[...]
In particular, Ithaqua is a particularly complex virus to detect, although
its effects are no more destructive than having your PC completely blocked,
with snowflakes falling down the screen around the message Ithaqua Virus by
Wintermute/29A
Technically speaking, this is a multipartite virus of 8030-8542 bytes in
size, resident in memory, which will become active on April 29th . It
infects .COM and .EXE files, as well as the Master Boot Record (MBR) in the
hard drive. Infected files become larger when the virus code is attached.
The difficulty in detecting and disinfecting Ithaqua is rooted in its
multiple and varied infection systems, besides looking for the adequate
breeding environment. These systems vary as they infect .COM files by means
of the EPO (Entry Point Obscuring) system, which consists of tracing the
program code which will host it and randomly placing the jump to the
virus routine.
Meanwhile, the infection method for .EXE files is the search for cavities.
The size of the infected file is not increased, and thus its visibility is
minimal. It is necessary that certain conditions be fulfilled in order for
one of these infection methods to work and to find its adequate breeding
environment. For instance, the EPO system in the .COM extension requires
not only the presence of EMS memory, but also that the files to be infected
are less than 32 KB in size.
In addition, Ithaqua has a double/simple encryption or stealth system. The
first layer is polymorphic-encrypted, and the second one is just encrypted.
All these factors make the location of all the possible variants of this
virus, both in .EXE and .COM files and in the MasterBoot -which also has
stealth and polymorphic-encryption routines-, a very complicated task
indeed.
[...]
=== Cut ===
Û Antivirus reactions
Now let's go to fun... shit, if I was an end-user, I would become an
ended-user after reading this; this makes you quite afraid <g>.
Û Panda software surprisingly has been the best of the antiviruses
checked out in this comparison. Only 5 hours later than sending the file,
they said they had the whole laboratory working on Ithaqua and sent a
description on how it works, infections, polymorphism, etc, while telling
the "infected user" they had 96% effectivity on cleaning viruses on 24
hours.
22 hours from when the virus was sent, they gave a solution... bad
stuff that it didn't really work <g>. It detected perfect and cleaned COM
inserting and appending files, but none of the EXE infections ( appending
and cavity ) and nor the MBR one.
After that, an EXE file was sent to them, as well as to other
antivirus companies ( just to make them have the same opportunities ). Then
again, the response was another actualization that cleans the EXE infections
perfect... but not the MBR ( yuck ! ), which wasn't even detected... tested
with three different MBR infections.
Anyway, this was the best antivirus working.
Û F-Secure had problems reproducting it... also wanted a copy of
the MBR, beeing so stupid to send for that a .bat file that used debug to
get it... by just using int13h, so the stealth fooled it and a clean copy
was sent ( it was supposed to be a normal user :P ). After that there was
attention to the virus and the user and that stuff, so you can't say they
have a bad service...
Û AVP antivirus took some time to answer. After some time, they said
it was sent to Kaspersky, and they had some problems becuz they didn't
notice that it infected depending on the operating system and its
characteristics. It took to Kaspersky and his lab SEVEN days to annulate
the virus, who said that it was really complex: " the complex randomly
changing polimorphic engines had to be made by a doctorate in computers
engineering ", said ( rulez, doesn't it :-))) ).
Well, I haven't had still time to check the cleaning as this article
was written fuckin fast... but there is a funny thing they said, that with
this kind of virus, seven days even if it sounds a long time, is the best
an antivirus company would make to clean such a complex virus hahahaha
( oops, then what is Panda :) )
Û NAI antivirus in the beggining lasted 24 hours to say "hum, yeah,
we send it to the french technical service"; that was the only response in
4 days; the fifth day they wrote to say that "yep, there is a virus"... and
non-clean it.
Û Thunderbyte antivirus, Norton and Sophos... wow, this really suxzor.
They just said the file WAS NOT infected at all. Do you really work on
viruses you assholes ? The case on Norton was the worst, as they just have
a robot that scans the file and tells ya isn't infected by e-mail as if
it was the technical service... Norton SUCKS BIG COCK :-G
Û More info
If you know spanish <g> in www.pc-actual.com are even the e-mails and so
that the magazine received and the whole test results.
