-----BEGIN PGP SIGNED MESSAGE----- For Complete Up Dated Sigfiles for TBAV or SCAN Freq Magic Names CRISTBAV or CRISMCAF from 1:115/863 CRIS Virus Signature Alert! - ---------------------------------------------------------------------------- Virus Name: South African Peace Virus Notes: COM EXE INF Signature: 5E 81 EE 06 01 E9 03 01 43 4F 4D 4D 41 4E F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. TBAV 6.09 : probably infected by an unknown virus SCAN V109 : No viruses found. If you add the above signature to your scanner, it will be detected. This is a direct overwriting file infector of .COM files to include Command.com. Infected files will not longer run but you will get a message on the screen. On 5 December of any year, it will attempt to do two things. For systems using Dos 5.0+, it will turnoff access to the C: drive. It will also attempt to delete a file called "chklist.ms" in the current directory an infected file is run from. Cleanup is simply replacing the infected files. Also, on 5 Dec, if the infected file is run and the time in seconds is greater than 30, you will get another message. Other than the one the original infection or infected files gives. Bill Dirks Note: Infected files will be changed by 484 bytes, after all files are infected the virus will write to itself now 777 bytes. The message that will be displayed on the screen is "Let's Have Peace in S.A. From OL' Jim Blue". The second message will get cut in the middle and not be fully displayed. Infected files dates are changed to 00-17-90 Michael Paris - ---------------------------------------------------------------------------- Virus Name: K-CMOS (Crypt Virus) Notes: COM EXE INF Signature: (TBAV) B9 CC 01 BB ?2 2E 81 07 ?2 83 C3 02 (FPROT) B9 CC 01 BB ?? ?? 2E 81 07 ?? ?? 83 C3 02 (SCAN) "B9CC01BB??2E8107??83C302" [K-CMOS] Virus Name: K-CMOS (first generation) Notes: COM EXE DROP Signature: BE 0D 01 2E 8A 84 94 03 2E 8C 84 B1 03 50 F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. TBAV 6.09 : probably infected (infected files are missed) SCAN V109 : No viruses found. (infected files see TridenT) If you add the above signature to your scanner, it will be detected. This virus will infect .EXE & .COM files. It will zero out the stored drive values in CMOS on AT+ machines. However, it is a little picky. Depending up on OS utilities loaded, it may cause an immediate coldboot after zeroing the CMOS but failing to infect files. Because the CMOS values are zeroed for the drive type, upon reboot, it will look like no drive is present. This virus will attempt to walk directories using the Path set in the environment to help determine which files to infect. If you are in a directory not in the path statement, it seems to foil it because I couldn't get it out of the current directory. It looks at the timer only to get a random word for use by the file/virus encryption routine. The timer isn't used for a payload. This routine is fairly static and the virus can be found with one wildcard string. As a marker to determine infected files, it sets the seconds to 58 in the file date/time stamp. Bill Dirks Note: Infected files change in size 937 bytes. Each time an infected file is run it will infect one .EXE and one .COM file in the current directory. If it finds that there are no clean files to infect it will attempt to infect files in other drives and directorys. This virus came out of the Crypt Newsletter #20 (CRPTLT20.ZIP) Michael Paris - ---------------------------------------------------------------------------- Virus Name: Blood Sugar Notes: COM EXE INF Signature: 5E 81 C6 1E 00 89 F3 81 EB 23 00 8A 27 8A F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. TBAV 6.09 : probably infected by an unknown virus SCAN V109 : No viruses found. If you add the above signature to your scanner, it will be detected. Blood Sugar is a non-resident .COM infector that infects all .COM files in the current directory when an infected file is run. Infected files will grow 416 bytes in size, and no change in file to date or time stamp. Michael Paris - ---------------------------------------------------------------------------- Virus Name: Dementia Pracecox 1.0 Notes: COM EXE INF Signature: 5D 81 ED 12 01 8B F5 81 C6 38 01 8B DD 81 F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. TBAV 6.09 : probably infected by an unknown virus SCAN V109 : No viruses found. If you add the above signature to your scanner, it will be detected. Dementia is a non-resident infector of .COM files that will change infected files 512 bytes. Dementai will also infect all .COM files in the current directory with no date or time changes made to infected files. This virus was written by "Mnemonix". Michael Paris - ---------------------------------------------------------------------------- Virus Name: Atomic 1.0 Notes: EXE COM INF Signature: B8 ED FE CD 21 A3 03 01 0E 8F 06 6F 01 BA F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. TBAV 6.09 : probably infected by an unknown virus SCAN V109 : No viruses found. If you add the above signature to your scanner, it will be detected. ATOMIC is a memory resident virus that spawns .COM files for .EXE files in your directorys. After the virus is resident in your system memory it will wait for you to run .EXE files. When a EXE file is run it will make a matching .COM file with the same name. This will be a hidden file on your disk. Spawned files will be 425 bytes in size until the file is run on the 14th of any month when it will change in size to 456 bytes. The increase in size comes from the virus adding a text string to any spawn .COM file that is run on the 14th. Three spawn files will have the text "Atomix v1.00 by Mnemonix." added to them if one file is run on that date. The .COM spawn files will always result in the file date of creation or infection. Michael Paris - ---------------------------------------------------------------------------- For Complete Up Dated Sigfiles for TBAV or SCAN Freq Magic Names CRISTBAV or CRISMCAF from 1:115/863 -----BEGIN PGP SIGNATURE----- Version: 2.3a iQBVAgUBLTCwy6M4CDusTF+9AQFF+wIAoZUGMzIs+C52mO11hF74qrtZ4As44HUp pNaePO1Z0cXEO5+h9PrFGB8NL1tbrXVgdG79YAPP4RlMTDM/oSTozA== =PzOM -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- C.R.I.S New Virus Signature Warning! CrisInfo #010 - ------------------------------------------------------------------------- Virus Name: [CrisSig] CARPE Notes: COM EXE INF Signature: 8B F4 36 8B 2C 81 ED 03 01 44 44 8B C5 05 If you add the above signature to your scanner, it will be detected. F-Prot 2.11 : No viruses or suspicious files/boot sectors were found. TBAV 6.10 : No viruses found. SCAN V111 : No viruses found. ShareScan 5.0 : No viruses found. Thunderbytes heuristics are able to detect the dropper of this virus but as soon as a file is infected, the virus encrypts itself and is able to sneak pass Thunderbytes heuristics. CARPE DIEM! - Sieze the day originated from Sweden and was written by Raver. Its a .COM infector and searches the directory tree downwards using the dot-dot method. It checks the system time for one hundredth of a second and if it matches, then it does an absolute write to the first sector of the hard disk (boot sector of drive C:). There is about a 5% chance of this happening and if it does, the following message will also be displayed: CARPE DIEM! (c) '93 - Raver/Immortal Riot It also checks the current drive to see whether its drive A: or B: and if so, it does not infect any files to avoid suspicion. Infected files increase by 469 bytes and two clean .COM files are infected every time the virus is run (unless the current drive is A: or B:) Carpe - This is a direct action virus. It will infect .Com files to include Command.com. Files will show an increase of 472 bytes. It checks the clock for hundredths of a second. If it is below 5, it will overwrite the first sector of the HD with the virus code making it unbootable and unrecognizable to the system. You will know when this happens as a message will appear on the screen pronouncing the presence of the virus. Infected files will continue to run. It also uses the .. method to step backwards when no more files are available in the current directory to infect. This virus originated in Sweden. - - Ashley Kleynhans - Bill Dirks [Cris] - ------------------------------------------------------------------------- Virus Name: Human Greed Notes: EXE COM OVW Signature: BE 30 01 8B 16 17 01 B9 35 01 2E 31 14 83 F-Prot 2.11 : Possibly a new variant of Trivial. TBAV 6.10 : Infected by V2pX virus. SCAN V111 : No viruses found. ShareScan 5.0 : No viruses found. This is a mutation of the Infernal Demand virus written by Metal Militia. It originated in Sweden and the author is The Unforgiven. Its an overwriting virus that overwrites the first 666 bytes of EXE and COM files. It checks the current drive and if it does not match with C:, the virus automatically switches to C: drive if a C: drive exists so that it can still do its damage. If an infected file is executed, there is a 50% chance of the message "Program too big to fit in memory" being displayed (this is of course, a fake message which the virus displays). If this happens, a random number is generated and if its less than 10, it will proceed to overwrite the first couple of sectors on the C: drive, this means that in total, you have a 5% chance of your C: drive being overwritten every time the virus is run. It uses the dot dot method of changing directory downwards once all files in the current directory are overwritten. The virus does not infect floppies. H-Greed - This is a direct overwriting infector of Command.com and all .EXE's. It renders infected programs useless since it overwrites. It appears to do nothing other then replicate. However, if an infected file is run and the clock shows a time with the hundredths less than 5, it will overwrite the first 255 sectors of the HD. It uses the .. method to step backwards when no more files are available in the current directory to infect. This virus originated in Sweden. - - Ashley Kleynhans - Bill Dirks [Cris] - ------------------------------------------------------------------------- Virus Name: DOOM! Notes: COM EXE INF Signature: 8B FC 36 8B 2D 81 ED 03 01 44 44 1E 06 0E If you add the above signature to your scanner, it will be detected. F-Prot 2.11 : No viruses or suspicious files/boot sectors were found. TBAV 6.10 : Probably infected by an unknown virus. SCAN V111 : No viruses found. ShareScan 5.0 : No viruses found. Thunderbytes heuristics detect the dropper of this virus, but fail to detect the actual encrypted virus even when the heuristic parameter is specified. DOOM! - originated from Sweden and was written by Raver. Its an .EXE infector and searches the directory tree downwards using the dot-dot method, it does not stop travelling down the directory tree until it has reached the root directory and infected all the .EXE files in the root directory. It also chews up 3K of memory every time an infected file is executed, there is a bug in this routine which causes the system to freeze up when COMMAND.COM is called. Otherwise, this is a harmless virus. Ashley Kleynhans [CRiS] - ------------------------------------------------------------------------- Virus Name: ETERNITY! Notes: COM EXE INF Signature: 5D 83 ED 03 E8 15 00 EB 27 90 E8 0F 00 B4 If you add the above signature to your scanner, it will be detected. F-Prot 2.11 : No viruses or suspicious files/boot sectors were found. TBAV 6.10 : No viruses found. SCAN V111 : No viruses found. ShareScan 5.0 : No viruses found. This virus originated from Sweden and was written by The Unforgiven. Thunderbytes heuristics will detect the dropper of the virus but as soon as the virus appends itself to an .EXE file, it encrypts itself and Thunderbyte is then unable to detect any infected files. Its a mutation of Tormentor's .EXE lession (so the author says). It infects 3 .EXE files every time an infected file is executed and uses the dot-dot method of travelling down the directory tree. The size of infected files is increased by 562 bytes. Ashley Kleynhans [CRiS] - ------------------------------------------------------------------------- [CrisSig] Geodesic Propagation 2.0 EXE COM LOW INF 1E 06 0E 0E 1F 07 2E FE 06 ?2 2E A1 F-Prot 2.11 : Possibly a new variant of Nympho TBAV 6.10 : No viruses found. SCAN V111 : No viruses found. Geodesic is A memory resident COM and EXE infector that will add 666 bytes to infected files. There is no time or date changes, and files are infected when they are run and the virus is resident in memory. This virus was written by Cerebral Quantas [Phalcon/Skism] Michael Paris [Cris] - ------------------------------------------------------------------------- Virus Name: OLO or OLO_II Notes: EXE COM INF Signature: 5D 81 ED 03 01 EB 1B 90 B8 24 35 CD 21 F-Prot 2.11 : New or modified variant of PS-MPC. TBAV 6.10 : probably infected by an unknown virus. SCAN V111 : Found virus -- Ancients [Anc] If you add the above signature to your scanner, it will be detected. OLO is a nonresident com infector. It will infect only the first com file in the directory. When the file is first executed it will scroll across the screen with the message "Ancient Sages Is on of the pAgEs". When this is scrolling pressing Ctrl-Break will cause the scrolling to stop and the system will make a sound almost like laughing. It will cause an infected file to increase in size by 783 bytes. This virus will not check for previous infection, so it therefore capable of reinfecing the same file over and over. It appears to contain no intentionally damaging code. The following messages are visible within the virus code: "by -->>pAgE<<--(c) 1992 TuRN-THE-pAgE Ancient Sages Is one of the pAgEs" "*.COM" OLO_II is also a nonresident com infector. It will also infect the first com file in the directory. When the file is first executed it will scroll across the screen with the message "Video Port XMS/EMS 1993". When the system is scrolling pressing Ctrl-Break will cause the scrolling to stop and the system will make a sound almost like laughing. It will cause infected files to increase in size by 841 bytes. This virus will not check for previous infection, so it is therefore capable of reinfecting the same file over and over. It also appears to have a code problem. When a COM file is infected the jump at the beginning of the COM file jumps to an INT 20 and ends execution of both the COM file and the virus. The following messages are visible within the virus code: "byMicrosoft(c)MSD Memory Manager Beta Video Port XMS/EMS 1993" "*.com" William Chapman (CRiS) - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.3a iQBVAgUBLWV8BaM4CDusTF+9AQGgNgIAicVaTh+FnwkW9bBLJybCZXAGS46wyvc8 1pyseIKnxQ9zPcWPZobZ8cd9dxsTIWbq0pgQPZfS/ULMvSF/i7NUDA== =qY9e -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Virus Signature Alert! Virus Name: [BENOIT] ICE-9 ARCV Variant Notes: EXE COM INF LOW Signature: 5E81EE06008D841F00508DBC1F00 Virus Name: [BENOIT] ICE-9 ARCV Variant Dropper Notes: EXE COM INF Signature: 33C0BB0001BE0001899CB2028984 [X] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 108 This virus is memory resident. No date or time changes take place on infection. This virus comes from England and is a variant of the ARCV virus. It was made November 5th 1992 and was Dedicated to BenoŒt B. Mandelbrot where the virus recieved it's name. F-prot reports "Variant of ARCV" but no other scanner catches it in any way yet. It is A .EXE infector though it can be found in .COM files as A Dropper Program. This virus and its dropper can be detected with the above signature added to your scanner. Virus Name: McAfee's Whale (MCWHALE) Notes: COM EXE INF Signature: BB2A02BE18002E81?346464B Virus Name: McAfee's Whale Dropper Notes: COM EXE INF Signature: BE000189F7C7041492C64402C756 [ ] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 108 Both this virus and the drop program are not detected in any scanner I have tried. This virus is not the stealth virus we are used to seeing. This is A .EXE infector that adds 1125 bytes to infected files with no date or time changes. When the infected file is run, A message moves across the screen (from right to left) saying "BEWHERE!!! Anti-virus Man John McAfee ... The WHALE Virus .... HONEST!!! .... With the above signature added to scanner for the MCWHALE and the Dropper, This virus is detectable. Virus Name: [Chromosome Glitch] v3.0 Memory Lapse Notes: COM EXE INF LOW Signature: 5D81ED03011E06B8EFDDCD2181FB [ ] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 108 This Virus Chromosome Glitch 3.0, Written by Memory Lapse in Toronto, ON. is A memory resident .COM infector, adding 385 bytes to infected files. Files are infected by running them after the virus becomes memory resident. There are no date or time changes to the file. The virus will infect command.com if the virus is already resident. No Scanners that were tested detected this virus until the above signature was added. Memory Lapse is a programmer in Canada that has written many viruses showing up here in the USA. Most of them improving in the are of detection by AV scanners. The latest that we have researched here were the Chromosome Glitch 1.0, 2.0, Golgi Testicles] v1.0, 2.0, 3.0, Nympho Mitosis v1.0, 2.0, and the Famous 'Memory Lapse' Virus that is Un-Removeable from Nite Owls CD-ROM shareware disk sent to many BBS's. This Virus Chromosome Glitch virus is detectable by adding the above signature to your scanner. Virus Name: Murphy (Goblin) Dropper Notes: EXE COM INF LOW Signature: BE26018BFE8B0E08018B160201B8 [ ] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 108 All of the above scanners detect the virus above. BUT NOT the dropper for the virus. Murphy's Goblin is A memory resident .EXE infector that does not change dates or times on the files it infects. Some scanners scan the files as 'Black Death'. The dropper for this virus is detectable by adding the above signature to your scanner. Virus Name: Blood Rage Virus Notes: EXE COM INF Signature: 5D81ED0301B844008EC0BF00018B [ ] F-Prot 2.09f [ ] TBAV 6.08 [x] SCAN 108 The Blood Rage Virus is seen in heuristic mode in TBAV and F-PROT, the signature above will report the 'Blood Rage' Virus in both of these if you add the string to your scanner. McAfee's Scan reports the correct virus. Tbav and F-prot report 'Probbly infected with a unknown virus'. Blood Rage will infect .Com files when A infected file is run. The text below can be seen in the virus code. THE WORLD WiLL NEVER FORGETT US! -Beta Boys- Blood Rage (c)1992 The BetaBoys Virus Name: Demo-Exe Virus Admiral Bailey [YAM] Notes: EXE COM INF Signature: 5D81ED03011E060E0E1F078DB653 [ ] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 108 Little is known about this virus. None of the scanners tested detected this virus. With the above signature added to your scanner it will be detected as the Demo-Exe Virus. This is the name given to it in the virus code. (Demo-Exe Virus Admiral Bailey [YAM]). This is A .EXE infector adding 334 bytes to each infected file. It will infect three .EXE files each time an infected file is run. YAM is a virus writing group that is (was) headed by 'Admiral Baily' Y ouths A gainst M cAfee. It seems that Admiral Baily has left the virus world for a while and has not been heard from (according to sources). Virus Name: Handy Virus Notes: COM EXE SYS INF Signature: 8CC00500108EC0BE0001BF0000B9 [ ] F-Prot 2.09f [x] TBAV 6.08 [ ] SCAN 108 Little is known about this virus. TBAV reports unknown virus, no other scanner can see this file. According to the code this is a .Com infector. Tested here it seems to also infect Dos System Files. MSDOS.SYS, IBMDOS.SYS attrib -s -h -r files. After your DOS system is infected, things will never be the same. Error messages will come up with most every command. 'Divide Overflow', 'System Halted', Etc... Lockups will become common with flashing lights and error messages. By adding the above string to your scanner you can detect this file before you have to experience all of this 'fun'. These signature's come from Cris Computer Research & Information Service (708) 863-5285 * these signature's have passed all testing and worked on all files that were infected and tested. This virus signature can be added to F-Protect by running f-prot.exe then use the menu to add the code below. After you add the code, be sure to scan using the /USER switch. f-prot /user {enter} REMEMBER F-prot will only allow 10 user sigs at a time, TBAV will allow Over 1000. You can also add it to TBAV by running tbgensig.exe make a text file called usersig.dat, then make it look like below. ; virus name your notes here skdjfjdh34585855 {string goes there ; virus name your notes here skdjfjdh34585855 {string goes there ; run tbgensig.exe -----BEGIN PGP SIGNATURE----- Version: 2.3a iQBVAgUBLOirAqM4CDusTF+9AQHGLQH/bQ4DZ48yzFu+KjEqyogWYtjO16RNbgD3 GuLtq8uGdsrDDim3HpqbvuCXk1RUa1ZFpV7EcNNIIQx0wN7wEEOWUQ== =3xAZ -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Virus Signature Alert! Virus Name: Iron Maiden (August 16th) Notes: COM EXE DROP Signature: 8CC6060B01C3EBF8B8D9C8D9BADF [ ] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 9.20 V109 None of the above scanners see this dropper. After this dropper infects either itself or another file it will be scannable by the above scanners. Add the signature above and you will not have to go through the pains of having to mess with this whole thing. Iron Maiden will infect two files in the current directory and then go to drive C: to infect the first two files in the root directory. If you are running A infected file from the A: and do not have a hard disk, your machine will lock. If there is a hard disk the virus will infect two files in the root dir of your C: and let the infected file continue running. This Virus adds 636 Bytes to infected files, and does not change the date or time. Virus Name: [Binary Fission] v1.0 [ML/PS] Notes: EXE COM LOW INF Signature: BD?2B83D3DCD21353E3DBB4D5A [ ] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 9.20 V109 None of the above scanners see this virus. Binary Fission 1.0 is a memory resident EXE & COM infector written by Memory Lapse from a virus writing group called Phalcon/Skism. When a file infected with this virus is run, the virus will go memory resident and infect any .Com or .Exe file that is opened, executed or has any attributes changed. Files will increase 517 bytes in size. This virus will not infect command.com even after it becomes resident, command.com is executed. There are no time or date changes. Virus Name: Phasor (1.0) Notes: COM EXE LOW INF Signature: BD?233FF8EC7BFE00126803DBD [ ] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 9.20 V109 The Phasor (1.0) Virus remains resident in memory in unused portion of Interrupt Table Starting At Offset 1E0h. When this virus goes resident it will infect any .Com file that is run adding 230 bytes to the infected file. There are no time or date changes on infected files. Phasor (1.0) was written by Memory Lapse in in Toronto, ON. Canada, and is not seen by any of the scanners above. If you add the signature above to your scanner this virus will be detected. These signature's come from Cris Computer Research & Information Service (708) 863-5285 * These signature's have passed all testing and worked on all files that were infected and tested. * Note: If you are using another scanner other then TBAV you may need to change the signature. For other scanners replace ?# with the number after ?. ?2 you would change to ????, or ?3 you would change to ??????, and so on. Replace the ?# with double the ?'s as the number. This virus signature can be added to F-Protect by running f-prot.exe then use the menu to add the code below. After you add the code, be sure to scan using the /USER switch. f-prot /user {enter} REMEMBER F-prot will only allow 10 user sigs at a time, TBAV will allow Over 1000. You can also add it to TBAV by running tbgensig.exe make a text file called usersig.dat, then make it look like below. ; virus name your notes here skdjfjdh34585855 {string goes there ; virus name your notes here skdjfjdh34585855 {string goes there ; run tbgensig.exe -----BEGIN PGP SIGNATURE----- Version: 2.3a iQBVAgUBLO33SqM4CDusTF+9AQFP5AH8CkZKqnFhl2Ae64cUk5sxezLfmEuf6+oo S/uAEb3rJboQlXlWCCPfEXsHXNqPG7SDwzt4fBnDGrK85hIjgThRxg== =AWHS -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Virus Signature Alert! - --------------------------------------------------------------------------- Virus Name: 1984 (TaLoN) Notes: COM EXE LOW INF Signatures: TBAV - 33 C0 8E D8 BE ?2 FF 34 FF 74 02 C7 04 F-Prot - 33 C0 8E D8 BE ?? ?? FF 34 FF 74 02 C7 04 Scan - 33 C0 8E D8 BE ?? FF 34 FF 74 02 C7 04 [ ] F-Prot 2.10 [M] TBAV 6.08 [ ] SCAN 9.20 V109 None of the above scanners detect this Virus as of yet. If you add the above signatures to your scanner, it will be detected. 1984 from TaLoN ... probably the world's sneakiest virus to date. TBAV tags it in "high heuristic" mode ... NOTHING else finds it. This virus got a write-up in the latest PC Week ... it's being spread in a hack of SCANV109. You only need to run the hacked SCAN once and you're history ... it hits every susceptible file on your HD in just one pass! It can hit COM/EXE/BIN/OVL/SYS files, the MBR, and 360kB floppy boot sectors. It has directory/file/partition stealth. Infected files are forward-dated by 100 years. By: Rod Fewster - ---------------------------------------------------------------------------- Note: In our tests we find it infecting all of the above, though we did not run the tests on the the MBR, and 360kB floppy boot sectors yet. This virus is tricky with the stealth technology it uses. It will disinfect on the fly, so one minute one file will be infected and the next it will not but another will be. File size changes are not present while the virus is memory resident, but if you look when the virus is out of memory you will see a 1979 byte change on infected files. When the virus first goes memory resident it will look for and demand C:\DOS\COMMAND.COM and infect this file, though it may disinfect it latter and infect the command.com file in the root directory of the disk. The signature above worked on all samples of infected files tested here. This virus is not done being researched, but the signature is here so that you can stop something that may have started in your computer already. Michael Paris (Cris) - -------------------------------------------------------------------------- Virus Name: Firefly Virus Notes: COM EXE LOW INF Signatures: TBAV - BB ?2 B9 10 01 81 37 ?2 81 77 02 ?2 83 C3 04 E2 F2 F-Prot - BB ?? ?? B9 10 01 81 37 ?? ?? 81 77 02 ?? ?? 83 C3 04 E2 F2 Scan - BB ?? B9 10 01 81 37 ?? 81 77 02 ?? 83 C3 04 E2 F2 [ ] F-Prot 2.10 [ ] TBAV 6.08 [ ] SCAN 9.20 V109 None of the above scanners can detect this virus. If you add the above signatures to your scanner it will be detected. The FIREFLY virus is a memory resident COM file infector. It's most noticeable feature is the ever-changing keyboard LED's that appears when the virus is resident in memory. Upon execution the virus allocates approximately 4k of memory and hooks interrupts 21h, 1Ch, and 24h. The old DOS interrupt 21h is moved to interrupts 1h and 3h to be used in the virus to handle replication. Interrupt 21 ============ If this interrupt is called, the virus checks to see if an open, execute, or attribute call is being made. If not, the registers are restored and the old int 21h is called and everything appears as normal. If one of these functions are being performed, the virus checks to see if it is a COM file that is being looked at. If it is, the virus infects the file. The virus also checks the filename passed to the interrupt to see if an anti-virus program is being accessed. If it is, the virus deletes the executable. Interrupt 1Ch (System Timer Tick) ================================= When this interrupt is hooked, the light show begins! The virus keeps track of how many clock ticks have passed. When the count reaches a certain point, the virus changes which keyboard LED's are lit. This continues as long as the virus is memory resident. The virus also makes your typing rather difficult since it constantly shifts between upper and lower case. Encryption ========== The virus encrypts itself by using the XOR function with two randomly generated word variables, alternating between the two variables. Infection ========= The first three bytes of the original COM file are stored within the virus and replaced by a jump instruction that points to the beginning of the virus code. Viral code is appended to the end of the COM file. The COM files grow by 1106 bytes once infected and will appear to function normally. The virus will not re-infect infected executables and it is smart enough to know whether or not it is already resident. DuWayne Bonkoski (Cris) - ---------------------------------------------------------------------------- Virus Name: Adams Family [Men] Notes: EXE COM LOW INF Signatures: BB 12 01 FF 27 2A 2E 43 4F 4D 00 2D 3D 41 Virus Name: Adams Family [Wendy] Notes: EXE COM LOW INF Signatures: BB 12 01 FF 27 2A 2E 43 4F 4D 00 4D 63 41 Virus Name: Adams Family [Morticia] Notes: EXE COM LOW INF Signatures: BB 12 01 FF 27 2A 2E 43 4F 4D 00 2D 3D 90 [ ] F-Prot 2.10 [ ] TBAV 6.08 [ ] SCAN 9.20 V109 None of the above scanners can detect these viruses. If you add the above signatures to your scanner they will be detected. The signatures above good for all three AV scanners. This is the "Adams Family Collection", Eight viruses total. We were able to get most of the viruses together into one signature, these are: Cousin It, Gomez, Lurch, Pugsley, Thing, and Uncle Fester. The other two Morticia and Wendy have two different Signatures. The Adams Family Collection were written by the author of A Variant of the Butterfly virus 'Crusades'. -DeathBoy KoASP These are Resident Com infectors. When a file infected with the Adams virus is run it will infect other .Com files in the current directory. After the virus infects a number of .Com files (this is A different number depending on the virus), it will go memory resident. While the virus was in memory i could not get it to infect another file without running it (though it was resident). When infected files are run they do replicate. Each file infected will change size depending on which one is run, Gomez 1648 Bytes, Pugsley 1792 Bytes, Cousin It 1680 Bytes, etc. This collection does warrent further research, but this is released so you can detect this 'weird family' and know a bit about them. Michael Paris (Cris) - --------------------------------------------------------------------------- These signature's come from Cris Computer Research & Information Service (708) 863-5285 * These signature's have passed all testing and worked on all files that were infected and tested. REMEMBER F-prot will only allow 10 user sigs at a time, TBAV will allow Over 1000. -----BEGIN PGP SIGNATURE----- Version: 2.3a iQBVAgUBLP+AFqM4CDusTF+9AQEHbgH/Rdgwij38YcPbQWlYsFK3en57rD0x0H2d Cb/jNnRcbjo4NhGmlOiMdhc7l3kv88wIe/Mj0Rx7+f0MkL0VjOHH/w== =fc7i -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- You can freq a complete CRIS TBAV Update signature file from 1:115/863 with the magic name CRISTBAV - - ----------------------------------------------------------------------- C.R.I.S. New Virus Signature Warning (CrisInfo.009) - - ----------------------------------------------------------------------- Virus Name: [CrisSig] THCK Trojan 2_HERM Notes: EXE COM TROJ Signature: BE 03 01 E8 ?2 B2 ?1 E8 ?2*6 FE C2 80 FA 02 If you add the above signature to your scanner, it will be detected. This file is a simple trojan using the Trojan Horse Construction Kit (THCK). It seems there are several deliberate bugs in it to create confusion. It doesn't use Int 13 properly but still accomplishes its desired task. This is to wipe all possible floppies and hard drives (The first 128 of each). One of the bugs regards its desired message. This is variable in length. The desired message is used as the test to overwrite the first 0-255 sectors of all attached disks. The message is encrypted. The supplied signature should catch most variants (cracks/modifications) of this without a complete rewrite of the engine. Bill Dirks (C.R.I.S) - - ----------------------------------------------------------------------- Virus Name: [CrisSig] LindaLou Notes: EXE COM INF Signature: BA 12 01 8E DA 8C 06 38 00 33 ED E8 E6 0A Virus Name: [CrisSig] LindaLou (2) Notes: EXE COM INF Signature: BA 75 01 8E DA 8C 06 38 00 33 ED E8 4B 10 F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. TBAV 6.10 : no viruses found SCAN V111 : no viruses found If you add the above signatures to your scanner, they will be detected. Lindalou is written by Jackel from the West Coast (Califorina). Lindalou is a Spawning virus, if A Lindalou infected file is run it will go through the hard disk and make .Com files for EXE files over 40K in size. No time or date changes were noticed. No real payload was noticed either (all though Jackel is known to add payloads to most of his code. Michael Paris - - ----------------------------------------------------------------------- Virus Name: [CrisSig] ANTIPRINT Notes: COM EXE LOW INF Signature: 00 5D 81 ED 13 00 06 1E B8 41 4E CD 21 3D 45 4D If you add the above signature to your scanner, it will be detected. ANTIPRINT - This virus is called AntiPrint for a good reason. If it finds DOS's PRINT installed, it will invoke a disk overwriting routine to overwrite the first 16 sectors of drive C:. While I couldn't get it to run on my system the code looks like it will do what it's suppose to do. This is a resident infecting program. Bill Dirks (C.R.I.S) - - ----------------------------------------------------------------------- Virus Name: [CrisSig] Zeuss Notes: EXE COM INF Signature: BE ?2 BA 70 01 2E 81 34 ?2 46 46 4A F-Prot Signature: BE ?? ?? BA 70 01 2E 81 34 ?? ?? 46 46 4A F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. TBAV 6.10 : might be infected SCAN V111 : no viruses found If you add the above signature to your scanner, it will be detected. The Zeuss virus was written by Muja Dib with the help of ARiSToTLE (so he says in his info). Zeuss is a .COM and .EXE infector that will add 753 bytes to each infected file. It will infect command.com so files will be infected with each boot. "On the anniversary of ][avoks crash (the 27th of every month) when an infected file is run, it will wipe out various tracks of Drive C: and Drive D: and put an Zeuss fact on the screen...)" Michael Paris (C.R.I.S) - - ----------------------------------------------------------------------- Virus Name: [CrisSig] Trivial V6 Notes: EXE COM INF Signature: BF FD 00 57 B8 F3 A4 AB B0 CC AA BE Virus Name: [CrisSig] Trivial V7 Notes: COM EXE INF Signature: B9 02 00 0E 1F 5E AD 3D 4D 5A 74 18 3D 5A F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. (V6 says might be trivial) TBAV 6.10 : no viruses found SCAN V111 : no viruses found If you add the above signature to your scanner, it will be detected. V6 & V7 came in as .COM files V7.com and V6.com, Both are Com infectors, V6 adding only 96 bytes to infected files and V7 416 bytes. These files do not change time or date stamps on files and they seem to do a good job of infecting files with one run across the drive. If you add the above signature to your scanner you can save yourself some restore time if they happen to make a stop on one of your disks. Michael Paris (C.R.I.S) - - ----------------------------------------------------------------------- ษอออออออออออออออออออออออออออออออออออออออออออออออออออป บ Computer Virus Research And Information Service บ บอออออออออออออออออออออออออหอออออออออออออออออออออออออบ บ Michael Paris (CRIS) บ Fido 1:115/863 บ บ P.O BOX 508077 บ Cris 77:708/0 บ บ Cicero Il. 60600-8077 บ Voice (708) 863-5472 บ บ BBS (708) 863-5285 บ FAX (708) 484-5702 บ ษอออสอออออออออออออออออออออออออสอออออออออออออออออออออออออสอออป บ FREQ These Magic Names From 1:115/863 บ บ บ บ FILELIST PGPKEY (CrisKey) F-PROT (Latest) บ บ CRIS (Info on Cris) TBAV (Latest) VSUM (Latest) บ บ NODELIST (Cris) SCAN (Latest) THDPRO (Latest) บ บ CRISTBAV (TBAV CrisSig Updates) บ ศอออออออออออออออออออออออออออออออออออออออออออออออออออออออออออผ -----BEGIN PGP SIGNATURE----- Version: 2.3a iQBVAgUBLVXLfqM4CDusTF+9AQHe2AH+PkXzBgNNBJI7ojT6InWn+tiOEzqYne92 Vs9OhO5QUn5jwCarMBAY0JzzJDtbouC4KQk3ae7HQtf4wWwTCUb2kw== =Ta+B -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- C.R.I.S New Virus Signature Warning! CrisInfo #011 Because of the possible destructive nature of most of the following, I ran these on a plain XT w/Dos 5.0 & no Tsrs, etc. to see what they'll do. It also served the purpose of running about as supseptable a system as possible. This is sort of rushed (72 hours) and done without gallons of coffee & jolt so here goes. - ----------------------------------------------------------------------- [CrisSig] Aftershock-1 Trojan/Joke EXE TROJ BA F9 00 8E DA 8C 06 38 00 33 ED E8 B9 0C [CrisSig] Aftershock-2 Trojan/Joke EXE TROJ BA B3 01 8E DA 8C 06 4A 00 33 ED E8 2E 0F Aftershock 1 & 2 Trojans? - These seem to be jokes. 1 will simply "act" like it might be doing something but it doesn't do anything besides display the number 5.2 after acting like its trashing the hard drive. 2 simply locks the system. While the code looks and does pick up the Int 13 & 26 code, it does nothing. I ran each of these about 40+ times with no results of any virus or trojan activity. This code was written in Pascal. - ----------------------------------------------------------------------- [CrisSig] Earthquake1 Trojan EXE XHD TROJ 80 00 0A 00 3F 00 12 00 36 04 36 A4 4C 01 00 40 [CrisSig] Earthquake2 Trojan EXE XHD TROJ F0 00 09 00 2C 00 0D 00 26 04 26 A4 28 01 00 40 Earthquake 1 & 2 Trojans - These are just what they claim to be, simple trojans. Nothing remarkable about them except they were written in Pascal and work unlike the Aftershock trojans. Part of this code is identical to what I refer to as stepper trojans. They start at drive ?? and work backwards to A. An interesting note is the manner in which the header info was created. Hueristics bypass the files. It is because of this header a signature can be made. - ----------------------------------------------------------------------- [CrisSig] ESP COM INF LOW BB 16 01 CD 11 B8 ?2 BA ?1 00 2E 29 07 ESP - This is a resident companion infector of .Exe files. .EXEs will have a companion .Com that is a mirror of the virus written. These files are 519 bytes in length. They are hidden and read only. This virus utilizes variable encryption. The decrypter is fairly static so its easy to find. It appears to contain no destructive payload in this and it only appears to replicate based upon the code. To clean a system, simply delete the .Com campanion files found. - ----------------------------------------------------------------------- [CrisSig] BIG_SKY {1) OR {2} COM EXE INF 58 0E 50 51 E8 00 00 58 2D 14 00 B1 04 D3 [CrisSig] BIG_SKY {2} OR {3} COM EXE INF 26 ?2 84 00 26 ?2 86 00 EB 1F 26 ?2 4C 00 26 ?2 4E 00 Big-Sky 1,2,3 - I couldn't get these to do anything other than lock the system. A disassembly didn't reveal any 80x86 specific code so all I can assume is Jackel was trying to scare people based upon his Earthquake trojans and AfterShock jokes. The code does try to hook Int 21 as a minimum but not really sucessfully here nor 13 & 26. - ----------------------------------------------------------------------- [CrisSig] ITALBOY COM EXE INF 5E 83 EE 03 B8 01 F2 CD 21 3D F2 01 74 4E Italboy - I couldn't get this to replicate on the XT or the 486 no matter what even though a quick glance at the code says it should work. The following description is based upon a code analysis. This is basically a resident .EXE file infector. It has a payload to overwrite the first 256 sectors of the hard disk. It hooks into Int 21 to trap the loading, executing, and finding of programs. When it finds them, it will then infect them. The provided signature may or may not work. If the message " ITALY IS THE BEST COUNTRY IN THE WORLD " appears, your HD has been overwritten. - ----------------------------------------------------------------------- [CrisSig] NAKED-TRUTH COM INF 5D 81 ED 0C 01 3E C6 86 F3 02 00 8D B6 05 Naked-Truth - This is a direct infector of Command.com and all .COMS. It appears to do nothing other then replicate. It will attempt to infect all .Coms in the current directory. If none are found, it will step back through directories looking for .Coms to infect. Infected files will show an increase in size of 451 bytes. Infected files will continue to run. This like Italboy will overwrite the first 256 sectors of the hard disk on the 11th of any month. - ----------------------------------------------------------------------- [CrisSig] LOCKOUT {1} OR {2} COM EXE BOOT INF 8C C8 FA 8E D0 BC 00 7C FB 2E 83 2E 13 04 Lockout 1 & 2 - These viruses are suppose to be BR infectors. The best I could manage was a locked system. Their lockout is based upon CMOS changes. If you have a saved copy of your MBR/PT and CMOS, this should present no problems. Bill Dirks (Cris) - ----------------------------------------------------------------------- Verified that the sig for the Jizm Trojan is a valid false alarm. Seems the trojan was originally a .bat compiled to an executable with an unnamed .Bat to .Com utility. I've got a new sig that's keyed on the original bat contents instead of the main code. I ran this three times on my system and no problems. The new sig is. [CrisSig] JIZM TROJAN COM EXE TROJ 64 65 62 75 67 ?4 00 57 20 31 30 30 20 Bill Dirks (Cris) - ----------------------------------------------------------------------- Files on "SHAREWARE 1 2 THE MAXX" & "GAMES 2 THE MAXX" CD-ROM DISK! I took a quick but decent gander at the archive. It's a nasty joker to say the least. Unfortunately these some of these same files have been floating around for awhile but under various names. Here's a quick rundown of the archive contents. Those without a comment seem OK. MWARS BAT 129 07-17-92 6:27a Runs Readthis.com MWARS20 EXE 28758 02-15-92 2:25a MWARS20 DOC 6729 07-17-92 6:41a NOTE DOC 687 01-01-80 12:17a YANG ME 130 07-17-92 4:15p INSTALL EXE 54272 06-14-90 4:57p Trojan to kill a PCB BBS DEMO EXE 9728 04-22-90 8:45p Trojan to trash disk. DOMENOW COM 4176 09-24-90 9:26p READTHIS COM 9728 04-22-90 8:45p Trojan to trash disk. Note that demo.exe and readthis.com are identical files but with different extensions. Sigs that will pick these up are. REVENGE TROJAN COM EXE UATE TROJ BA 2A 01 2E 89 16 F8 01 B4 30 CD 21 8B 2E 02 00 8B PCB KILLER TROJAN EXE COM UATE TROJ 9A 00 00 99 0B 9A 87 04 E5 01 9A 9D 04 E5 01 33 Bill Dirks (Cris) - ----------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: 2.3a iQBVAgUBLWV8b6M4CDusTF+9AQER9gIAmm/m0S8V7TYUU1kVkAd0yEpRlSqZsZvH KKFNdFn0KEGoAoaTT+eNfxjuYTbGrOpeiM9QWn0B9uwlGs5lxE2hMg== =yZzJ -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Virus Signature Alert! - --------------------------------------------------------------------- Virus Name: [CrisSig] [Data-Rape] 2.1 (Trojan) Notes: COM EXE TROJ Signature: BB 03 01 B5 00 B1 00 B6 00 B2 80 CD 13 73 11 [ ] F-Prot 2.10C [ ] TBAV 6.09 [ ] SCAN 9.20 V109 None of the above scanners detect this file as of yet. If you add the above signature to your scanner, it will be detected. This is a simple trojan and not a virus. It can be mistaken for one though since it writes itself to the hard disk plus whatever was in memory at the time. It was written by Zodiac and Data Disrupter back in 1991 as part of the Rabid group. This is part of the info that will be written to disk. It'll attempt to overwrite no less than the first 69 sectors of the harddisk. It'll then go after any floppy in the A drive to do the same. Because of the manner it attempts to overwrite the hard disk, most XT's HD's shouldn't be affected. Partly depends on the BIOS and use of Int 13. A standard XT will not all a Long Sector write. Bill Dirks - --------------------------------------------------------------------- Virus Name: [CrisSig] Sabbath {Generation 1} Notes: COM EXE INF Signature: 1E 75 13 B0 02 B9 20 00 33 D2 CD 26 Virus Name: [CrisSig] Sabbath Notes: COM EXE INF Signatures: TBAV: B9 43 03 81 3L ?2 83 02 E2 F7 SCAN: "B94303813L??8302E2F7" [Sabbath] F-PROT: B94303813L????8302E2F7 [ ] F-Prot 2.10C [M] TBAV 6.09 [ ] SCAN 9.20 V109 This virus goes TSR. It will basically try to infect anything but the boot sector. Doesn't matter whether it's executable or not. It does a find first and goes after the file if not already infected. It captures the critical error handler so it isn't obvious what it does when it messes up. The virus will infect the first file in the directory. There are several bugs in the code. One of them is that it will infect a file more than once. This causes problems in detection. What will typically happen is the file will become infected. It is easily detected at this point. Upon running it again, it may or may not damage itself by reinfecting the same file. Basically, if the infection is valid, the strings above will detect it. Once the virus kills itself by damaging the file, the file is no longer infectious or executeable but no longer detectable due to the damage. Bill Dirks - --------------------------------------------------------------------- Virus Name: [CrisSig] Quadratic Equation II (Generation 1) Notes: EXE COM LOW DROP Signature: BD 00 00 1E 06 B4 3F BB FF FF CD 21 3D FF Virus Name: [CrisSig] Quadratic Equation II Notes: EXE COM LOW INF Signatures: TBAV: BH DA 04 2E 30 ?2 E2 FA SCAN: "BHDA042E30??E2FA" [Quadratic Equation II] F-PROT: BH DA 04 2E 30 ?? ?? E2 FA [M] F-Prot 2.10C [M] TBAV 6.09 [ ] SCAN 9.20 V109 None of the above scanners detect this Virus as of yet. If you add the above signature to your scanner, it will be detected. Quadratic Equation II is a memory resident com and exe infector that will become memory resident when the first infected file runs. When the virus is memory resident it will infect any com or exe file that is run. (Including command.com) There will be no time or date changes. Infected files will change in size 15 bytes while the virus is active in system memory, if the virus is removed from memory the files will show the true size change of 1285 bytes. The signatures above have been tested and proved to work on all tested files. Michael Paris - --------------------------------------------------------------------- Virus Name: [CrisSig] YB-5 (Handsome) Notes: COM INF Signature: EB 00 C3 8D 94 8E 01 B4 4E B9 3F 00 CD 21 [ ] F-Prot 2.10C [M] TBAV 6.09 [ ] SCAN 9.20 V109 YB-5 is a com infector that adds 466 bytes to infected files. The source code claims "AUTHOR: K”hntark; surgeon: Urnst Kouch". This virus is a demonstrator for the YB-5 code segment. It is sufficient to get by F-Prot's 'heuristic'mode, but does not get past TBScan's heuristic mode. TBScan reports a possible infection. The above signature works on all samples tested here. By adding this signature you will be able to detect this virus and all infected files. Michael Paris - --------------------------------------------------------------------- Virus Name: [CrisSig] DK - (Generation 1) Notes: EXE COM DROP Signature: 83 EC 10 83 E4 E0 8B EC 50 BE 05 01 03 36 Virus Name: [CrisSig] DK Notes: EXE COM INF Signatures: TBAV: B9 B6 01 BB ?2 2E 81 07 ?2 83 C3 02 E2 F6 SCAN: "B9B601BB??2E8107??83C302E2F6" [DK] F-PROT: B9B601BB????2E8107????83C302E2F6 [ ] F-Prot 2.10C [M] TBAV 6.09 [ ] SCAN 9.20 V109 Note: The first generation signature is known to give a false positive in some cases, The DK infection has been tested with none. Both signatures worked on all files infected and tested here. The DK virus is a encrypting, non-memory resident, non stealth virus The first time a file infected with the DK virus is executed the systems date will be changed to 1994 and two files in the current directory will be infected, one EXE and one COM. If the virus can't find two uninfected files then it will search for alternate directories. The DK virus is no real threat because it does no real damage except infecting files which currently have to be deleted to clean the virus off of the system and change in the system date from XX/XX/XXXX to XX/XX/1994. Due to this fact the viruses presence can be easily detected also Viruscan identifies it as the TridenT virus. I have created a signature for this virus which can easily detect it by using McAfees Viruscan. This signature is "B9B601BB??2E8107??83C302E2F6" these are the bytes which remain constent after the encryption of the virus each time. I have tested it and it doesn't seem to have any conflicts with any other programs. Shaun Debow - --------------------------------------------------------------------- These signature's come from Cris Computer Research & Information Service (708) 863-5285 (BBS) * These signature's have passed all testing and worked on all files that were infected and tested. REMEMBER F-prot will only allow 10 user sigs at a time, Scan under 250 TBAV will allow Over 1,500. -----BEGIN PGP SIGNATURE----- Version: 2.3a iQBVAgUBLR6AhqM4CDusTF+9AQGbaQH/Zo64j/KsVJcjUX4rayxYZQXaILvJlCRW I9LUNA0J3YxYj/Wrz3gmECUU+bohF9U3IK73ZiNUQTnUdvpTR1ZqnA== =raZ2 -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- C.R.I.S. New Virus Signature Warning (CrisInfo.008) - ------------------------------------------------------------------------- Virus Name: [CrisSig] Acid Trip Notes: EXE COM LOW INF Signature: 81 F9 00 0C 75 21 B4 0F CD 10 3C 03 75 19 If you add the above signature to your scanner, it will be detected. F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. TBAV 6.10 : No viruses found. SCAN V111 : No viruses found. Acid Trip is a resident .EXE infector. (You will need to include .COM infection if you want it to pick up to original Acid Trip). It infects upon file execution. Infected files will have a file size increase of 694 bytes, however this increase will be hidden while the virus is resident in memory. The Acid Trip virus will at 12:00pm of any day cause the monitor to rapidly scroll through the color pallete. It will display the following message" Your PC is on an [Acid Trip]... try again later... However on the test system the virus just displayed the message and then hung the system, so you might get varied results on varied hardware. The virus contains no intentionally damaging code. The virus contains the following messages: Crypt Keeper P/S Your PC is on an [Acid Trip]... Try again later... William Chapman [Cris] - ------------------------------------------------------------------------- Virus Name: Greetings Virus Notes: COM EXE LOW INF Signature: E8 00 00 5D 81 ED 03 00 E8 If you add the above signature to your scanner, it will be detected. Scanning Results - ------------------------------------------------------------------------- TBAV 6.10 - Undetected Mcafee's ViruScan Version 111 - Undetected File had to be deleted Norton Antivirus Version 3.0 - Undetected File had to be deleted F-Prot Ver 2.10c - Unknown Virus (Original File Only) Note: Infected Files Not Detected File had to be deleted Virus Terminator - Undetected File had to be deleted VirusCure - Undetected File had to be deleted - ------------------------------------------------------------------------- Extra Information Found on Greetings Virus - ------------------------------------------------------------------------- Virus : The Greetings Virus Author / Modification By : Admiral Bailey Language Used : Assembly Language [TASM 2.0] Type of Virus : Encrypted TSR com/exe infector. Date Of Release : 1-2-93 - ------------------------------------------------------------------------- Some Notes: This is a TSR com/exe infector. Between certain times it will display a bouncing ball. Both on graphics (which it will ruin) and in text. When you reboot during a certain time it shall display a certain messege. Researchers Notes The Greetings virus infects Com and Exe files and is memory resident. The virus uses 2.2 K of RAM. On execution of the original virus Com file, the words (Hello World...) will be displayed. Interrupts hooked are 08,09, and 21. The Greetings virus will infect the Command.Com file if executed. The words (Hello World...) can't be found in infected files or in memory. - -------------------------------------------------------------------------- Interrupt 08 System Timer. Interrupt 09 Keyboard Hardware. This Interrupt is invoked anytime a key is pressed and released. The Greetings virus will lock up the keyboard. Interrupt 21 DOS Functions. Allows the virus to use over 100 functions. Infection Infected Com and Exe files will have an increase in file size of 1,118 bytes. The virus will only infect the Command.Com file if executed. Infected files have no change to date and time. Encryption Encryption by this virus is fairly good, but the scan string below for TBAV will detect all files infected with the Greeting virus. (including encrypted files and original virus com file) Testing The only signs of infection by the Greetings virus is file growth and memory loss of 2.2k. Summary Greetings is a typical computer virus. Nothing unusual occured during testing. According to the text that the virus came with, a ball will be displayed on the screen. I changed the date and time around some, but still couldn't activate it. I wasn't really impressed, but of course my idea of a great virus would be one that reaches out of the screen and grabs you by the neck. A virtual reality virus maybe. Just kidding. Prosperous Researching. Larry Shultz (C.R.I.S) - ------------------------------------------------------------------------- Virus Name: [CrisSig] CMAGIC/fx Notes: COM INF LOW Signature: 5D 81 ED 13 00 8B F5 81 C6 0E 00 8A 14 8A 64 01 8B F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. TBAV 6.10 : seems to be infected by an unknown virus. SCAN V111 : No viruses found. If you add the above signature to your scanner, it will be detected. - ------------------------------------------------------------------------- This virus is a resident .COM infector. It will hook the 21st interupt and infect any .COM file opened. It appears to contain no destructive code. The virus is fairly noticable because it makes noises from the PC speaker. These noises concist of a couple different sounds which last about 5 seconds. Infected file will have a growth of 2015 bytes however the virus will hide its size during a directory command while resident in memory. The virus contains the following message -- [CMAGIC/fx] By Mnemonix V 1.00 1994 William Chapman (C.R.I.S) - -------------------------------------------------------------------------- Virus Name: [CrisSig] JIZM TROJAN Notes: COM EXE TROJ Signature: 8B D6 33 C9 B8 02 3C 0B FF 74 02 FE C4 CD 21 If you add the above signature to your scanner, it will be detected. 666-JIZM - contains three files. INSTAL_C.COM, YANKEES.COM and TROJAN.COM. The first two files are simply The Draw saved screens and are harmless. The file Trojan.com is a trojan to overwrite the first sector of drive C: by calling and using debug to create and run a file. It goes under the premise of updating certain The Draw functions. The file is easily hackable and the signature included takes this into account. Bill Dirks (C.R.I.S) - -------------------------------------------------------------------------- Virus Name: [CrisSig] ENEMY or [ACIDTRIP] Notes: COM EXE LOW INF Signature: 8E C0 48 8E D8 C7 06 01 00 08 00 EB 14 58 50 8E C0 If you add the above signature to your scanner, it will be detected. This is the Enemy Within virus written by Crypt Keeper of P/S. This is a resident infector of programs. It hooks Int 21 when it goes TSR and monitors 2F. It does a call to an undefined function to determine it's presence. It also leaves a file marker to determine infected files. It infects .EXE's only with a file increase of 644 bytes. Memory is reduced by 1040 bytes. This program is semi-stealth insomuch while TSR, infected file sizes look the same, file date/time stamps remain unchanged and it seems it performed its infections normally after a file terminates execution. This appears to be done with the PS-MPC or similar virus construction kit. ACIDTRIP - The Acid Trip virus written by Crypt Keeper of P/S. is virtually identical to the Enemy Within virus except it is suppose display a msg to the screen. File increase is 694 bytes and memory is reduced by 1364 bytes. Bill Dirks (C.R.I.S) - -------------------------------------------------------------------------- ษอออออออออออออออออออออออออออออออออออออออออออออออออออป บ Computer Virus Research And Information Service บ บอออออออออออออออออออออออออหอออออออออออออออออออออออออบ บ Michael Paris (CRIS) บ Fido 1:115/863 บ บ P.O BOX 508077 บ Cris 77:708/0 บ บ Cicero Il. 60600-8077 บ Voice (708) 863-5472 บ บ BBS (708) 863-5285 บ FAX (708) 484-5702 บ ษอออสอออออออออออออออออออออออออสอออออออออออออออออออออออออสอออป บ FREQ These Magic Names From 1:115/863 บ บ บ บ FILELIST PGPKEY (CrisKey) F-PROT (Latest) บ บ CRIS (Info on Cris) TBAV (Latest) VSUM (Latest) บ บ NODELIST (Cris) SCAN (Latest) THDPRO (Latest) บ บ CRISTBAV (TBAV CrisSig Updates) บ ศอออออออออออออออออออออออออออออออออออออออออออออออออออออออออออผ -----BEGIN PGP SIGNATURE----- Version: 2.3a iQBVAgUBLVWE46M4CDusTF+9AQGQUAH/Shz56Rds37PSa032jhFF+C1WlmeiXQ6k Uu+5yeXK0FYeOACM13dQ+9xp0JP/kezraxsLh0dMi4+BTjMVMB4+aQ== =60gD -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- C.R.I.S. New Viruses - Signature Warning - - ------------------------------------------------------------------------------ Virus Name: [CrisSig] Dieted Nichols Dropper Notes: COM EXE DROP Signature: 73 F3 A6 C3 E4 E3 FF 11 02 E9 CD 20 Virus Name: [CrisSig] New Nichols Notes: BOOT INF Signature: TBAV EB 23 ?@23 FA 33 C0 8E D0 SCAN EB 23 *(23) FA 33 C0 8E D0 F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. TBAV 6.10 : Infected items: 00 SCAN V109 : No viruses found. If you add the above signature to your scanner, it will be detected. - - ------------------------------------------------------------------------------ NICHOLSD - This is the dropper for the Nichols virus. It will infect the MBR of floppies. Once done, infected floppies will infect hard disks. It stores the original boot sector so the system remains bootable. It was written by Apache (of ARCV?). It seems to have no payload and is only meant as a nuisanse. The dropper program is Dieted. The virus itself is not encrypted. It will momentarily display [Nichols] by Apache. Bill Dirks (C.R.I.S) - - ------------------------------------------------------------------------------ Virus Name: [CrisSig] Addict9 Notes: COM EXE LOW INF Signature: 2E A1 6C 05 2E 0B 06 6E 05 58 75 07 9C 2E F-Prot 2.10C : Infection: _1364 - Modified (700 extra bytes) TBAV 6.10 : probably infected by an unknown virus SCAN V109 : No viruses found. If you add the above signature to your scanner, it will be detected. - - ------------------------------------------------------------------------------ ADDICT9 - This is a resident infector of executables to include Command.Com. It will infect .COM & .EXE files and leave them runnable. It does have a payload and unique activation routine. As the virus passes from one machine to another, it stores and compares BIOS data. When it is on a new machine, it increments an internal counter which is saved. After 255 seperate machine infections, a routine to overwrite the first 64 sectors of drive C will be called. Infected files increase in size by 1364 bytes. The original date/time stamp is maintained. The virus will tunnel to get the original INT 21 but doesn't employ any real stealth techniques. Bill Dirks (C.R.I.S) - - ------------------------------------------------------------------------------ Virus Name: [CrisSig] 44 {43} Trivial Notes: COM INF Signature: B4 4E 33 C9 BA 25 01 CD 21 B8 02 3D BA 9E F-Prot 2.10 : Seems to be infected by an unknown virus. TBAV 6.10 : Infected by Trivial {1} SCAN V108 : No viruses found. If you add the above signature to your scanner, it will be detected. 44{43} Trivial is a non-resident .C* overwriting virus which is greater than 43 bytes in size. The source code claims that the virus is 44 bytes however when compiled it is acutally only 43. The virus does have a bug that upon execution it does infect all .C* files in the directory, but it prints garbage (actually itself) to the screen and the the system hangs. It was written by Dark Helment. William Chapman (C.R.I.S) - - ------------------------------------------------------------------------------ Virus Name: [CrisSig] MAX Notes: COM EXE BOOT INF Signature: E8 03 00 ?3 5D 0E 16 58 59 33 C8 75 37 B8 01 02 F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. TBAV 6.10 : probably infected by an unknown virus SCAN V109 : No viruses found. If you add the above signature to your scanner, it will be detected. This virus is a funny little thing. For how simple it is, it has kept our researchers busy. MAX is a new virus from Memory Lapse [P/S]. When first sent to us it had some claims that we had to check out right away. First it was sent up as a simple memory resident .COM infector. One researcher had a quick look at it and said [BOOT VIRUS]. Later we were told that it would format a drive on 10/29. We checked this out to be not true. Memory Lapse has out done himself with this one, his pratice on all of those 'clean programmed' .com and .exe memory resident viruses has brought him to the place of writing something new, and here it is ... There were many other claims and false panic alarms on this file, but here is the scoop. MAX - Once a dropper file is run on the PC this file will infect the MBR of the hard disk. The virus will not go memory resident at this time, nor will it infect any files. Once the machine is rebooted the virus will go memory resident and start infecting .COM files adding 347 bytes to infected files. There will be no time or date changes on infected files. Note also that it worked here just fine on all machines tested. Also with different versions of DOS we had no problems infecting bait files. This virus spreads like wild fire. One researcher here had a problem making it work on his IBM XT eith two different versions of DOS. (Everyone else testing it using AT's with no problem at all) The signature above will detect the virus both in the MBR and ALL infected files on the hard disk. Michael Paris (C.R.I.S) - - ------------------------------------------------------------------------------ ษอออออออออออออออออออออออออออออออออออออออออออออออออออป บ Computer Virus Research And Information Service บ บอออออออออออออออออออออออออหอออออออออออออออออออออออออบ บ Michael Paris (CRIS) บ Fido 1:115/863 บ บ P.O BOX 508077 บ Cris 77:708/0 บ บ Cicero Il. 60600-8077 บ Voice (708) 863-5472 บ บ BBS (708) 863-5285 บ FAX (708) 484-5702 บ ษอออสอออออออออออออออออออออออออสอออออออออออออออออออออออออสอออป บ FREQ These Magic Names From 1:115/863 บ บ บ บ FILELIST PGPKEY (CrisKey) F-PROT (Latest) บ บ CRIS (Info on Cris) TBAV (Latest) VSUM (Latest) บ บ NODELIST (Cris) SCAN (Latest) THDPRO (Latest) บ บ CRISTBAV (TBAV CrisSig Updates) CRISMCAF (SCAN CrisSig) บ ำอออออออออออออออออออออออออออออออออออออออออออออออออออออออออออผ -----BEGIN PGP SIGNATURE----- Version: 2.3a iQBVAgUBLTuEfqM4CDusTF+9AQEX/wH8DFmLyPtbrZSPc6ibxxTEsWPm+ehPJTvp UeEIlrmw4vRYqgvGTvcIFXMeTsuNlcrEK/FeIsqpAx7G1K7cz5/x0g== =t+GS -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- New Virus - Signature Warning - - ------------------------------------------------------------------------------ Virus Name: [CrisSig] Jackel5a Notes: COM EXE ATE INF Signature: 0E ?3 0l ?6 Ch F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. TBAV 6.10 : No viruses found. SCAN V109 : Infected items: 00 If you add the above signature to your scanner, it will be detected. - - ------------------------------------------------------------------------------ JACKEL5A - This is a simple dropper that really doesn't spread well at all. The only file I could get it to infect was format.com and files that called/used it. The threat from this spreading on a system is practically nil due to bugs in the code. It will however do quite a few things well that are noteworthy. Namely, they open you up to other virus attacks. It will upon execution disable Central Points resident AV code (VSAFE and probably also MSAV by MS). It will then delete the following files created by other AV packages. Antivir.dat, Chklist.cps, *._??, and Scanval.val. It also has a null routine to activate a yet to be included routine on the 13th of any month. Also, this thing looks for it's own signature effectively in files and memory, but it won't prevent multiple reinfections of an already infected file 50% of the time. Bill Dirks (C.R.I.S) - - ------------------------------------------------------------------------------ Virus Name: [CrisSig] Mordor File infector Notes: COM EXE BOOT HIGH INF Signature: 0E 1F BF 1A 01 80 3D BA 74 10 B9 56 04 BF 1A 01 Virus Name: [CrisSig] Mordor Boot infector Notes: BOOT INF Signature: 9C 50 51 52 1E 06 B4 CD 1A 80 F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. TBAV 6.10 : infected by Mordor virus SCAN V109 : No viruses found. If you add the above signature to your scanner, it will be detected. - - ------------------------------------------------------------------------------ MORDOR - This is a nasty little virus. It is encrypted but keeps a fairly static decryptor. It starts off by disabling VSAFE/VWATCH. It then checks to see if it is resident. It does this by checking Int 21-DA which is normally used by Basic/Basica. It will go upon various factors, while resident and at other times remove itself. When it goes resident, you will normally lose the function of the highest placed TSR/Driver. SCSI users will probably lose access to their SCSI devices when Mordor is active due to the area it overwrites as a work area (TOM). Possible video skewing also. When active, it will overwrite code starting at segment 9F80. On March 31st it will display a message. If you see this message it is important. The following day/month, April will activate it's destruction routine. This routine will overwrite tracks 0-17 on heads 0-4 with whatever info is sitting in 5000:5000 in memory. It will reboot (semi- cold) the system at this time using the infection code to ensure complete obliteration of data (FAT+). It looks like it will infect/overwrite any executable. It does trap Int 21 (Dos services) & 24 (Critical Error Handler). Except for Mar 31st and the month of April, it appears to try and do nothing other than spread. Multidisk systems should only have drive C (1st hard disk) affected by the destruction routine since their is no drive stepping routine. Fromn the routines I saw, it can best be desribed as semi-stealth. Bill Dirks (C.R.I.S) - - ------------------------------------------------------------------------------ Virus Name: [CrisSig] Dementia Pracecox 2.0 Notes: COM INF Signature: 5D 81 ED 14 01 8B F5 81 C6 38 01 8B DD 81 F-Prot 2.10 : No viruses or suspicious files/boot sectors were found. TBAV 6.10 : probably infected by an unknown virus SCAN V108 : No viruses found. If you add the above signature to your scanner, it will be detected. Dementia is a non-resident infector of .COM files that will change infected files 609 bytes. Dementia 2.0 will also infect all .COM files in the directory one up from the current directory with no date or time changes made to infected files. This virus contains the message [DR/2] Dementia Praecox by Mnemonix William Chapman (C.R.I.S) - - ------------------------------------------------------------------------------ Virus Name: [CrisSig] PET (ARCV) TROJAN Notes: COM EXE ATE DROP Signature: 90 90 BA AC 02 33 C9 B8 02 3C CD 21 93 B4 40 Virus Name: [CrisSig] PET (ARCV) TROJAN Notes: COM FND TROJ Signature: B0 02 B9 FF 00 33 D2 CD 26 B0 03 F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. TBAV 6.10 : Infected items: 00 SCAN V109 : No viruses found. If you add the above signature to your scanner, it will be detected. - - ------------------------------------------------------------------------------ PET - This is more a trojan than a virus. The only files it will actually infect in any matter is a:\command.com , a:\dos\command.com , and a:\windows\win.com. It does this by truncating the files and trojanizing them. The new file length is about 38bytes. The trojan code is designed to overwrite the first 255 sectors of drives C thru F. Bill Dirks (C.R.I.S) - - ------------------------------------------------------------------------------ Virus Name: [CrisSig] HSPAWN Notes: COM INF Signature: E9 01 02 AC 0A C0 75 FB 81 7C FC 45 58 74 3E 81 F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. TBAV 6.10 : Infected items: 00 SCAN V109 : No viruses found. If you add the above signature to your scanner, it will be detected. - - ------------------------------------------------------------------------------ HSPAWN - This is a very agressive resident spawning/companion type virus. When an .EXE file is executed, a companion .COM is created containing an exact image of the virus. The size of these files is 1115 bytes and are hidden. This virus does incorporate some stealth techniques that prevent most TSR AV software from detecting it's presence and actions while active. It is a little picky about its environment. Depending upon device drivers loaded, it may lock the system when it attempts to go TSR. Cleaning a system of this involves deleting all the hidden .COMs created. Bill Dirks (C.R.I.S) - - ------------------------------------------------------------------------------ Virus Name: [CrisSig] OSPRING - (First Generation) Notes: COM EXE INF LOW Signature: BB 11 01 53 C3 E9 E9 20 BB 11 01 53 C3 E9 E9 36 Virus Name: [CrisSig] OSPRING (089) Notes: COM EXE INF LOW Signature: ?1 09 ?2 C3 E9 E9 ?2 BH 37 ?1 90 F-Prot 2.10C : No viruses or suspicious files/boot sectors were found. TBAV 6.10 : Infected items: 00 SCAN V109 : No viruses found. If you add the above signature to your scanner, it will be detected. - - ------------------------------------------------------------------------------ OSPRING - This is a resident direct infector of .COM files and a spawns companion .COMs for .EXE files. It uses a variable encryption scheme and generates a certain amount of polymorphism. It was intentionally designed to attempt to bypass hueristic scanning. File size increases of .COM file infections varies and is typically around 1570 bytes. Spawned .COMs are an image of the virus and appx. the same length. Spawned companion .COM files are made read only and hidden. 5 files will be infected each time an infected file is run. It is semi-stealthy. No real tunneling. Files will retain their original date/time stamp and by using hidden companion .Com files, a little hard to detect. It will kill Antivir.dat and Chklist.* files. It will not infect Command.Com. Bill Dirks (C.R.I.S) - - ------------------------------------------------------------------------------ ษอออออออออออออออออออออออออออออออออออออออออออออออออออป บ Computer Virus Research And Information Service บ บอออออออออออออออออออออออออหอออออออออออออออออออออออออบ บ Michael Paris (CRIS) บ Fido 1:115/863 บ บ P.O BOX 508077 บ Cris 77:708/0 บ บ Cicero Il. 60600-8077 บ Voice (708) 863-5472 บ บ BBS (708) 863-5285 บ FAX (708) 484-5702 บ ษอออสอออออออออออออออออออออออออสอออออออออออออออออออออออออสอออป บ FREQ These Magic Names From 1:115/863 บ บ บ บ FILELIST PGPKEY (CrisKey) F-PROT (Latest) บ บ CRIS (Info on Cris) TBAV (Latest) VSUM (Latest) บ บ NODELIST (Cris) SCAN (Latest) THDPRO (Latest) บ บ CRISTBAV (TBAV CrisSig Updates) CRISMCAF (SCAN CrisSig) บ ศอออออออออออออออออออออออออออออออออออออออออออออออออออออออออออผ - -----BEGIN PGP SIGNATURE----- Version: 2.3a iQBVAgUBLTuBnqM4CDusTF+9AQFYzQH8D9UoT/qpTIQoHwX5ue2p2U7n4VMCx6dN 77MgIr+RtqG+otmMAe6muutt9PcwESLjXESEbx5x3EUsrhCsItU/3A== =Hq0x - -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: 2.3a iQBVAgUBLTuEhqM4CDusTF+9AQFT2gH/ffwdf9uwtT9b6NEqJe31YfnUC4DHoOSF NKlEbejobhPjyAdF0abKcvDLB8NXO4Rn6/3nquZNwYR3cARUsKncoA== =jklc -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- - ------------------------------------------------------------------------ C.R.I.S. New Virus Signature Warning (CrisInfo.013) - ------------------------------------------------------------------------ You can freq a complete CRIS TBAV Update signature file from 1:115/863 with the magic name CRISTBAV (Works With REGISTERED VERISONS ONLY) CrisSigs are made at no charge to anyone that wants to use them. They are not ment as positive 100% infection protection. CrisSigs serve the user that wants to have that 'extra' protection until the virus is added to the scanner they are using. In the history of CrisSigs there have been (3) signatures that have given warnings on files that were not infected but claimed to be on some files that were scanned. By using CrisSigs the chance is there to get a false virus warning but we feel it is better safe then the chance of loosing your files or hard disk. All of the CrisSigs have been tested to work on the viruses below and have been tested for false alarms and found none. Michael Paris [Cris Staff] - ------------------------------------------------------------------------ Virus Name: [CrisSig] Skid-Row Notes: EXE COM LOW INF Signature: B4 0D CD 21 B4 52 CD 21 FC 26 C5 77 12 C5 F-Prot 2.11 : No virus found TBAV 6.12 : May be infected by an unknown virus SCAN V113 : No Virus found If you add the above signature to your scanner, it will be detected. First I must say that I truely enjoyed researching this little bugger. It is a very smart little virus. Upon execution of the infected drop file nothing out of the ordinary happened. No bait files show alteration, nor did any other file for that matter. The TRS scanner did not go off, nor was there a change in memory size or status. A dud, NO WAY! Scanning the drive again with various scanners (ones on the HD at time of execution) showed no changes anywhere on the hard drive. So I rebooted and ran TBAV from a protected diskette and found that all EXE's were indeed infected and changed. There was no change however in the size or date/time stamp of any files. EXE's were infected all over the HD, however NO bait files were infected at all. The virus showed no interest in any COM file including COMMAND.COM. Rebooting again I ran the infected files to observe activity. Qdos was the file run. At this time the virus displayed the text below. This is Skid_Row Virus Written by Dark Slayer * in Keelung. Taiwan* It did appear to cause the system to hang a few times, I am however not sure whether the virus caused this, or if it was just the old XT that was being used to test. The virus does go memory resident, even though no TSR's would detect it, because after termination of infected programs, the message screen will intermittently appear. Always when a drive is changed. (A: B: C: etc) At this point I extracted a string to test out. The string was install in TBAV and the harddrive was planted with more files (clean) and few odd virii. The string identified all the infected file and gave no false alarms. Next I rebooted and compiled the string into TBAV on the hard drive and ran the scan again. SHIDROW would not scan. The other virii on the drive, including some that were user defined, scanned but not Skid-Row. It seems to be full stealth once it becomes resident. Rescanning from a write protected disk showed that all the files were indeed still infected.. The original infected file SKIDROW.COM after execution became memory resident and no longer showed infection. Art Mason [Cris] More on Skid Row by: Staale Fagerland This virus, both in its a and b version, uses the old beast technique for hiding itself in memory. One buffer is unlatched from the dos buffer pool and taken by the virus. It is a fast infector, infecting on open as well as on execute. This means that if you scan with this virus in memory, all eligible files opened by the scanner will be infected - if your scanner is not able to see it in memory and stop before it starts opening files. The virus infects nothing but exe-files with enough space for it in the exe header. No file growth, and no infection of com files. But infected exe-files will after infection have a com structure. It is also a stealth virus, disinfectiong on the fly. It seems to use int13 for both the stealth functions and the infection routine. Int13 is hooked, but not directly. Some quick ways to determine if you have this one in memory: 1. Look at the dropper with a file browser such as list. If it is active, you will not be able to see the virus code. 2. Count the dos buffers. If the virus is up and running, you will have one less than you thought you had. 3. If you use a good memory tool, such as MAM, you will see int13 pointing both at the dos buffer pool _and_ at HMA. Dead giveaway. Regards StF - ----------------------------------------------------------------------------- Virus Name: [CrisSig Covina Notes: EXE COM TROJ Signature: FC 06 1E 0E 8C C8 01 06 35 01 BA 85 00 03 F-Prot 2.11 : No viruses or suspicious files/boot sectors were found. TBAV 6.12 : Nothing SCAN V113 : No viruses found. If you add the above signature to your scanner, it will be detected. The Covina Trojan: This is a Trojan that adds a line to the end of the autoexec.bat file to do an unconditional format of the hard disk. When the file run it will search for the autoexec.bat file on the C: drive and update it with the command needed. This trojan was written by someone named Super Tanker. Michael Paris [Cris] - ----------------------------------------------------------------------------- Virus Name: [CrisSig] Yesturday Once More [YOM] Notes: EXE COM INF Signature: 5D 81 ED 0D 01 E8 25 01 B8 53 46 E8 A0 01 F-Prot 2.11 : No viruses or suspicious files/boot sectors were found. TBAV 6.12 : probably infected by an unknown virus SCAN V113 : No viruses found. If you add the above signature to your scanner, it will be detected. The YOM virus was written in Finland by Pepper, it is suposed to be his first non-overwriting virus. This file was written 01-April-94. Files will change in size 529 bytes but no time or date changes at all. According to the programmer this virus has 256 different forms of mutation. All the texts and some parts of code are mutated. Number #00 of mutations is the unmutated virus. Infects COM-files, within the length of 123-63999 bytes. Doesn't infect command.com. Uses dotdot-method. Infects 2 files from every directory from current one to root directory. Checks for previous infection, Restores date and time stamps, deinits VIRSTOP, Displays a text message 'yesterday once more' every 128th time run and backs up clock by one day. Michael Paris [Cris] - ----------------------------------------------------------------------------- ษอออออออออออออออออออออออออออออออออออออออออออออออออออป บ Computer Virus Research And Information Service บ บอออออออออออออออออออออออออหอออออออออออออออออออออออออบ บ Michael Paris (CRIS) บ Fido 1:115/863 บ บ P.O BOX 508077 บ Cris 77:708/0 บ บ Cicero Il. 60650-8077 บ Voice (708) 863-5472 บ บ BBS (708) 863-5285 บ FAX (708) 484-5702 บ ษอออสอออออออออออออออออออออออออสอออออออออออออออออออออออออสอออป บ FREQ These Magic Names From 1:115/863 บ บ บ บ FILELIST PGPKEY (CrisKey) F-PROT (Latest) บ บ CRIS (Info on Cris) TBAV (Latest) VSUM (Latest) บ บ NODELIST (Cris) SCAN (Latest) THDPRO (Latest) บ บ CRISTBAV (TBAV CrisSig Updates) บ ำอออออออออออออออออออออออออออออออออออออออออออออออออออออออออออผ -----BEGIN PGP SIGNATURE----- Version: 2.3a iQBVAgUBLaw4H6M4CDusTF+9AQGmugIArmWkGZpd06NE5uuaFIkAofTYCsiV6/vD cLZWSHstrFFVT4+ISlHytJti7H6aHRDEwpfOZIZpmnKxwvSrfmpppg== =lZLu -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- You can freq a complete CRIS TBAV Update signature file from 1:115/863 with the magic name CRISTBAV (Works With REGISTERED VERISONS ONLY) - ------------------------------------------------------------------------ C.R.I.S. New Virus Signature Warning (CrisInfo.012) - ------------------------------------------------------------------------ Virus Name: [CrisSig] Rubbit V1.0 Notes: COM EXE LOW INF Signature: BE 03 01 8B 0C 51 33 C0 8E C0 26 80 3E FC This signature form will work with any signature format for different scanners F-Prot 2.11 : No viruses or suspicious files/boot sectors were found. TBAV 6.11 : No Viruses found! SCAN V112 : No viruses found! If you add the above signature to your scanner, it will be detected. Rubbit 1.0 is a memory resident COM infector that adds 681 bytes to infected files. When the virus goes memory resident it will infect any file that is run. According the the virus code this virus was written by Peter Ferng. Michael Paris (C.R.I.S) - ------------------------------------------------------------------------ Virus Name: [CrisSig] Terminator Notes: EXE COM LOW INF Signature: 1E 0E 1F 06 B4 52 CD 21 26 8E 47 FE 26 80 This signature form will work with any signature format for different scanners F-Prot 2.11 : No viruses or suspicious files/boot sectors were found. TBAV 6.11 : No Viruses found! SCAN V112 : No viruses found! If you add the above signature to your scanner, it will be detected. The Terminator virus ia a memory resident EXE infector that will get past most memory resident protection. After the virus becomes memory resident it will infect any .EXE file that is run. It will add 904 bytes to infected files. After a number of infections it will display a graphic screen saying .... Don't be afraid. I am a very kind virus. You have do many works today. So, I will let your computer slow down. Have a nice day, Goodbye. Press a key to continue. . . Michael Paris (C.R.I.S) - ------------------------------------------------------------------------ Virus Name: [CrisSig] Oracle Notes: EXE COM INF LOW Signature: 5D 81 ED 22 00 1E 33 C0 8E C0 48 33 FF B9 F-Prot 2.11 : New variant of Golgi TBAV 6.11 : probably infected by an unknown virus. SCAN V112 : No virus found If you add the above signature to your scanner, it will be detected. Oracle is a memory resident .COM and .EXE infector. Infected files will have the size of the file increased by 997 bytes. This size increase will be hidden if the virus is active in memory. Oracle hooks the 21st interupt and infects files upon execution. However, On the test system the virus would infect files, however sometimes had problems executing files. The following occurences happend while testing. All memory mappers did not work, any file viewer had eratic behavior, and one larger program received an out of memory error. The virus does create a drive error when attempting to write to a write protected floppy disk. The virus contains the following messages: [Oracle] by Mnemonix William Chapman (CRiS) - ------------------------------------------------------------------------ Virus Name: Offspring 0.7 Notes: COM INF LOW Signatures: TBAV: [CrisSig] Offspring 0.7 COM INFO LOW B9 ?1 02 ?1 81 35 *6 47 *5 47 90 *3 E2 F2 C3 Scan: "B9?02?8135*(6)47*(5)4790*(3)E2F2C3" [CrisSig] Offspring 0.7 F-Prot 2.11 : Scanned with Heuristics ON. 21 of the infected 37 scanned as: "possibly a new variant of Trident" 16 of the infected 37 scanned as both "possibly a new variant of Trident" "seems to be infected with an unknown virus" TBAV 6.11 : Scanned with High Heuristics ON 3 of the 37 scanned as: "seems to be infected with an unknown virus" SCAN V112 : 5 of the 37 scanned as Offspring 2 of the 37 scanned as Trident 1 of the 37 scanned as FamN If you add the above signature to your scanner, it will be detected. Offspring is a memory resident virus. This virus loads into memory and hooks the 21st interupt. It will infect files when the directory is changed. It will infect 5 files in the current directory (the directory the it is leaving). First it will spawn from all .EXE files creating hidden .COM files which are 1294 bytes in size. After all of the .EXE files have had .COM files spawned it will then infect .COM files. It appends itself to the end of the .COM files. The virus is encrypted and uses an ecncryption routine which throws in NOP's to make the encryption routine more difficult to use an easier signature on. The virus contains the follwing messages while in memory. The files are encrypted and the message is not visible: "Thank you for providing me with a safe place to live Offspring 0.7" "*.COM" "*.EXE" William Chapman (C.R.I.S) - ------------------------------------------------------------------------ ษอออออออออออออออออออออออออออออออออออออออออออออออออออป บ Computer Virus Research And Information Service บ บอออออออออออออออออออออออออหอออออออออออออออออออออออออบ บ Michael Paris (CRIS) บ Fido 1:115/863 บ บ P.O BOX 508077 บ Cris 77:708/0 บ บ Cicero Il. 60650-8077 บ Voice (708) 863-5472 บ บ BBS (708) 863-5285 บ crisadm@netcom.com บ ษอออสอออออออออออออออออออออออออสอออออออออออออออออออออออออสอออป บ FREQ These Magic Names From 1:115/863 บ บ บ บ FILELIST PGPKEY (CrisKey) F-PROT (Latest) บ บ CRIS (Info on Cris) TBAV (Latest) VSUM (Latest) บ บ NODELIST (Cris) SCAN (Latest) THDPRO (Latest) บ บ CRISTBAV (TBAV CrisSig Updates - REGISTERED USERS ONLY) บ ศอออออออออออออออออออออออออออออออออออออออออออออออออออออออออออผ -----BEGIN PGP SIGNATURE----- Version: 2.3a iQBVAgUBLZOCzKM4CDusTF+9AQE3OgH/eZ9/j4K9CHhlaUKABMCSoicsQ4RWjg2w yygU3SvVFNnXsuvKUMwcDqV77UAcyxrtSQH0qVU7LpNz5aNi0JO5+g== =e3v3 -----END PGP SIGNATURE-----