Copy Link
Add to Bookmark
Report
Cris Vol 2 Issue 08
-----BEGIN PGP SIGNED MESSAGE-----
For Complete Up Dated Sigfiles for TBAV or SCAN
Freq Magic Names CRISTBAV or CRISMCAF from 1:115/863
CRIS Virus Signature Alert!
- ----------------------------------------------------------------------------
Virus Name: South African Peace Virus
Notes: COM EXE INF
Signature: 5E 81 EE 06 01 E9 03 01 43 4F 4D 4D 41 4E
F-Prot 2.10C : No viruses or suspicious files/boot sectors were found.
TBAV 6.09 : probably infected by an unknown virus
SCAN V109 : No viruses found.
If you add the above signature to your scanner, it will be detected.
This is a direct overwriting file infector of .COM files to include
Command.com. Infected files will not longer run but you will get a
message on the screen. On 5 December of any year, it will attempt to
do two things. For systems using Dos 5.0+, it will turnoff access to
the C: drive. It will also attempt to delete a file called "chklist.ms"
in the current directory an infected file is run from. Cleanup is
simply replacing the infected files. Also, on 5 Dec, if the infected
file is run and the time in seconds is greater than 30, you will get
another message. Other than the one the original infection or infected
files gives.
Bill Dirks
Note: Infected files will be changed by 484 bytes, after all files
are infected the virus will write to itself now 777 bytes. The message
that will be displayed on the screen is "Let's Have Peace in S.A. From
OL' Jim Blue". The second message will get cut in the middle and not be
fully displayed. Infected files dates are changed to 00-17-90
Michael Paris
- ----------------------------------------------------------------------------
Virus Name: K-CMOS (Crypt Virus)
Notes: COM EXE INF
Signature: (TBAV) B9 CC 01 BB ?2 2E 81 07 ?2 83 C3 02
(FPROT) B9 CC 01 BB ?? ?? 2E 81 07 ?? ?? 83 C3 02
(SCAN) "B9CC01BB??2E8107??83C302" [K-CMOS]
Virus Name: K-CMOS (first generation)
Notes: COM EXE DROP
Signature: BE 0D 01 2E 8A 84 94 03 2E 8C 84 B1 03 50
F-Prot 2.10C : No viruses or suspicious files/boot sectors were found.
TBAV 6.09 : probably infected (infected files are missed)
SCAN V109 : No viruses found. (infected files see TridenT)
If you add the above signature to your scanner, it will be detected.
This virus will infect .EXE & .COM files. It will zero out
the stored drive values in CMOS on AT+ machines. However, it is a
little picky. Depending up on OS utilities loaded, it may cause an
immediate coldboot after zeroing the CMOS but failing to infect files.
Because the CMOS values are zeroed for the drive type, upon reboot,
it will look like no drive is present. This virus will attempt to walk
directories using the Path set in the environment to help determine
which files to infect. If you are in a directory not in the path
statement, it seems to foil it because I couldn't get it out of the
current directory. It looks at the timer only to get a random word for
use by the file/virus encryption routine. The timer isn't used for a
payload. This routine is fairly static and the virus can be found with
one wildcard string. As a marker to determine infected files, it sets
the seconds to 58 in the file date/time stamp.
Bill Dirks
Note: Infected files change in size 937 bytes. Each time an infected file
is run it will infect one .EXE and one .COM file in the current directory.
If it finds that there are no clean files to infect it will attempt to
infect files in other drives and directorys. This virus came out of the
Crypt Newsletter #20 (CRPTLT20.ZIP)
Michael Paris
- ----------------------------------------------------------------------------
Virus Name: Blood Sugar
Notes: COM EXE INF
Signature: 5E 81 C6 1E 00 89 F3 81 EB 23 00 8A 27 8A
F-Prot 2.10C : No viruses or suspicious files/boot sectors were found.
TBAV 6.09 : probably infected by an unknown virus
SCAN V109 : No viruses found.
If you add the above signature to your scanner, it will be detected.
Blood Sugar is a non-resident .COM infector that infects all .COM files
in the current directory when an infected file is run. Infected files
will grow 416 bytes in size, and no change in file to date or time stamp.
Michael Paris
- ----------------------------------------------------------------------------
Virus Name: Dementia Pracecox 1.0
Notes: COM EXE INF
Signature: 5D 81 ED 12 01 8B F5 81 C6 38 01 8B DD 81
F-Prot 2.10C : No viruses or suspicious files/boot sectors were found.
TBAV 6.09 : probably infected by an unknown virus
SCAN V109 : No viruses found.
If you add the above signature to your scanner, it will be detected.
Dementia is a non-resident infector of .COM files that will change
infected files 512 bytes. Dementai will also infect all .COM files
in the current directory with no date or time changes made to
infected files. This virus was written by "Mnemonix".
Michael Paris
- ----------------------------------------------------------------------------
Virus Name: Atomic 1.0
Notes: EXE COM INF
Signature: B8 ED FE CD 21 A3 03 01 0E 8F 06 6F 01 BA
F-Prot 2.10C : No viruses or suspicious files/boot sectors were found.
TBAV 6.09 : probably infected by an unknown virus
SCAN V109 : No viruses found.
If you add the above signature to your scanner, it will be detected.
ATOMIC is a memory resident virus that spawns .COM files for .EXE files
in your directorys. After the virus is resident in your system memory it
will wait for you to run .EXE files. When a EXE file is run it will make
a matching .COM file with the same name. This will be a hidden file on
your disk. Spawned files will be 425 bytes in size until the file is run
on the 14th of any month when it will change in size to 456 bytes. The
increase in size comes from the virus adding a text string to any spawn
.COM file that is run on the 14th. Three spawn files will have the text
"Atomix v1.00 by Mnemonix." added to them if one file is run on that date.
The .COM spawn files will always result in the file date of creation or
infection.
Michael Paris
- ----------------------------------------------------------------------------
For Complete Up Dated Sigfiles for TBAV or SCAN
Freq Magic Names CRISTBAV or CRISMCAF from 1:115/863
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQBVAgUBLTCwy6M4CDusTF+9AQFF+wIAoZUGMzIs+C52mO11hF74qrtZ4As44HUp
pNaePO1Z0cXEO5+h9PrFGB8NL1tbrXVgdG79YAPP4RlMTDM/oSTozA==
=PzOM
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
C.R.I.S New Virus Signature Warning! CrisInfo #010
- -------------------------------------------------------------------------
Virus Name: [CrisSig] CARPE
Notes: COM EXE INF
Signature: 8B F4 36 8B 2C 81 ED 03 01 44 44 8B C5 05
If you add the above signature to your scanner, it will be detected.
F-Prot 2.11 : No viruses or suspicious files/boot sectors were found.
TBAV 6.10 : No viruses found.
SCAN V111 : No viruses found.
ShareScan 5.0 : No viruses found.
Thunderbytes heuristics are able to detect the dropper of this virus
but as soon as a file is infected, the virus encrypts itself and is
able to sneak pass Thunderbytes heuristics.
CARPE DIEM! - Sieze the day originated from Sweden and was written by
Raver. Its a .COM infector and searches the directory tree downwards
using the dot-dot method. It checks the system time for one hundredth
of a second and if it matches, then it does an absolute write to the
first sector of the hard disk (boot sector of drive C:). There is about
a 5% chance of this happening and if it does, the following message will
also be displayed:
CARPE DIEM! (c) '93 - Raver/Immortal Riot
It also checks the current drive to see whether its drive A: or B: and
if so, it does not infect any files to avoid suspicion.
Infected files increase by 469 bytes and two clean .COM files are
infected every time the virus is run (unless the current drive is A: or B:)
Carpe - This is a direct action virus. It will infect .Com files to
include Command.com. Files will show an increase of 472 bytes. It
checks the clock for hundredths of a second. If it is below 5, it
will overwrite the first sector of the HD with the virus code making
it unbootable and unrecognizable to the system. You will know when
this happens as a message will appear on the screen pronouncing the
presence of the virus. Infected files will continue to run. It also
uses the .. method to step backwards when no more files are available
in the current directory to infect. This virus originated in Sweden.
- - Ashley Kleynhans - Bill Dirks [Cris]
- -------------------------------------------------------------------------
Virus Name: Human Greed
Notes: EXE COM OVW
Signature: BE 30 01 8B 16 17 01 B9 35 01 2E 31 14 83
F-Prot 2.11 : Possibly a new variant of Trivial.
TBAV 6.10 : Infected by V2pX virus.
SCAN V111 : No viruses found.
ShareScan 5.0 : No viruses found.
This is a mutation of the Infernal Demand virus written by Metal Militia.
It originated in Sweden and the author is The Unforgiven.
Its an overwriting virus that overwrites the first 666 bytes of EXE and
COM files. It checks the current drive and if it does not match with C:,
the virus automatically switches to C: drive if a C: drive exists so that
it can still do its damage. If an infected file is executed, there is a
50% chance of the message "Program too big to fit in memory" being
displayed (this is of course, a fake message which the virus displays).
If this happens, a random number is generated and if its less than 10, it
will proceed to overwrite the first couple of sectors on the C: drive,
this means that in total, you have a 5% chance of your C: drive being
overwritten every time the virus is run. It uses the dot dot method of
changing directory downwards once all files in the current directory are
overwritten. The virus does not infect floppies.
H-Greed - This is a direct overwriting infector of Command.com and
all .EXE's. It renders infected programs useless since it overwrites.
It appears to do nothing other then replicate. However, if an infected
file is run and the clock shows a time with the hundredths less than 5,
it will overwrite the first 255 sectors of the HD. It uses the ..
method to step backwards when no more files are available in the
current directory to infect. This virus originated in Sweden.
- - Ashley Kleynhans - Bill Dirks [Cris]
- -------------------------------------------------------------------------
Virus Name: DOOM!
Notes: COM EXE INF
Signature: 8B FC 36 8B 2D 81 ED 03 01 44 44 1E 06 0E
If you add the above signature to your scanner, it will be detected.
F-Prot 2.11 : No viruses or suspicious files/boot sectors were found.
TBAV 6.10 : Probably infected by an unknown virus.
SCAN V111 : No viruses found.
ShareScan 5.0 : No viruses found.
Thunderbytes heuristics detect the dropper of this virus, but fail to
detect the actual encrypted virus even when the heuristic parameter is
specified.
DOOM! - originated from Sweden and was written by Raver.
Its an .EXE infector and searches the directory tree downwards using the
dot-dot method, it does not stop travelling down the directory tree until
it has reached the root directory and infected all the .EXE files in the
root directory. It also chews up 3K of memory every time an infected file
is executed, there is a bug in this routine which causes the system to
freeze up when COMMAND.COM is called. Otherwise, this is a harmless virus.
Ashley Kleynhans [CRiS]
- -------------------------------------------------------------------------
Virus Name: ETERNITY!
Notes: COM EXE INF
Signature: 5D 83 ED 03 E8 15 00 EB 27 90 E8 0F 00 B4
If you add the above signature to your scanner, it will be detected.
F-Prot 2.11 : No viruses or suspicious files/boot sectors were found.
TBAV 6.10 : No viruses found.
SCAN V111 : No viruses found.
ShareScan 5.0 : No viruses found.
This virus originated from Sweden and was written by The Unforgiven.
Thunderbytes heuristics will detect the dropper of the virus but as
soon as the virus appends itself to an .EXE file, it encrypts itself
and Thunderbyte is then unable to detect any infected files.
Its a mutation of Tormentor's .EXE lession (so the author says).
It infects 3 .EXE files every time an infected file is executed and
uses the dot-dot method of travelling down the directory tree.
The size of infected files is increased by 562 bytes.
Ashley Kleynhans [CRiS]
- -------------------------------------------------------------------------
[CrisSig] Geodesic Propagation 2.0
EXE COM LOW INF
1E 06 0E 0E 1F 07 2E FE 06 ?2 2E A1
F-Prot 2.11 : Possibly a new variant of Nympho
TBAV 6.10 : No viruses found.
SCAN V111 : No viruses found.
Geodesic is A memory resident COM and EXE infector that will add 666 bytes
to infected files. There is no time or date changes, and files are infected
when they are run and the virus is resident in memory.
This virus was written by Cerebral Quantas [Phalcon/Skism]
Michael Paris [Cris]
- -------------------------------------------------------------------------
Virus Name: OLO or OLO_II
Notes: EXE COM INF
Signature: 5D 81 ED 03 01 EB 1B 90 B8 24 35 CD 21
F-Prot 2.11 : New or modified variant of PS-MPC.
TBAV 6.10 : probably infected by an unknown virus.
SCAN V111 : Found virus -- Ancients [Anc]
If you add the above signature to your scanner, it will be detected.
OLO is a nonresident com infector. It will infect only the first com
file in the directory. When the file is first executed it will scroll across
the screen with the message "Ancient Sages Is on of the pAgEs". When this is
scrolling pressing Ctrl-Break will cause the scrolling to stop and the system
will make a sound almost like laughing. It will cause an infected file to
increase in size by 783 bytes. This virus will not check for previous
infection, so it therefore capable of reinfecing the same file over and over.
It appears to contain no intentionally damaging code. The following messages
are visible within the virus code:
"by -->>pAgE<<--(c) 1992 TuRN-THE-pAgE Ancient Sages Is one of the pAgEs"
"*.COM"
OLO_II is also a nonresident com infector. It will also infect the first com
file in the directory. When the file is first executed it will scroll across
the screen with the message "Video Port XMS/EMS 1993". When the system is
scrolling pressing Ctrl-Break will cause the scrolling to stop and the system
will make a sound almost like laughing. It will cause infected files to
increase in size by 841 bytes. This virus will not check for previous
infection, so it is therefore capable of reinfecting the same file over and
over. It also appears to have a code problem. When a COM file is infected
the jump at the beginning of the COM file jumps to an INT 20 and ends
execution of both the COM file and the virus.
The following messages are visible within the virus code:
"byMicrosoft(c)MSD Memory Manager Beta Video Port XMS/EMS 1993"
"*.com"
William Chapman (CRiS)
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQBVAgUBLWV8BaM4CDusTF+9AQGgNgIAicVaTh+FnwkW9bBLJybCZXAGS46wyvc8
1pyseIKnxQ9zPcWPZobZ8cd9dxsTIWbq0pgQPZfS/ULMvSF/i7NUDA==
=qY9e
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Virus Signature Alert!
Virus Name: [BENOIT] ICE-9 ARCV Variant
Notes: EXE COM INF LOW
Signature: 5E81EE06008D841F00508DBC1F00
Virus Name: [BENOIT] ICE-9 ARCV Variant Dropper
Notes: EXE COM INF
Signature: 33C0BB0001BE0001899CB2028984
[X] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 108
This virus is memory resident. No date or time changes take
place on infection. This virus comes from England and is a variant
of the ARCV virus. It was made November 5th 1992 and was Dedicated
to Benot B. Mandelbrot where the virus recieved it's name. F-prot
reports "Variant of ARCV" but no other scanner catches it in any way
yet. It is A .EXE infector though it can be found in .COM files as A
Dropper Program. This virus and its dropper can be detected with the
above signature added to your scanner.
Virus Name: McAfee's Whale (MCWHALE)
Notes: COM EXE INF
Signature: BB2A02BE18002E81?346464B
Virus Name: McAfee's Whale Dropper
Notes: COM EXE INF
Signature: BE000189F7C7041492C64402C756
[ ] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 108
Both this virus and the drop program are not detected in any scanner I
have tried. This virus is not the stealth virus we are used to seeing.
This is A .EXE infector that adds 1125 bytes to infected files with no
date or time changes. When the infected file is run, A message moves
across the screen (from right to left) saying "BEWHERE!!! Anti-virus Man
John McAfee ... The WHALE Virus .... HONEST!!! ....
With the above signature added to scanner for the MCWHALE and the Dropper,
This virus is detectable.
Virus Name: [Chromosome Glitch] v3.0 Memory Lapse
Notes: COM EXE INF LOW
Signature: 5D81ED03011E06B8EFDDCD2181FB
[ ] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 108
This Virus Chromosome Glitch 3.0, Written by Memory Lapse in Toronto, ON.
is A memory resident .COM infector, adding 385 bytes to infected files.
Files are infected by running them after the virus becomes memory resident.
There are no date or time changes to the file. The virus will infect
command.com if the virus is already resident. No Scanners that were tested
detected this virus until the above signature was added. Memory Lapse is
a programmer in Canada that has written many viruses showing up here in the
USA. Most of them improving in the are of detection by AV scanners. The
latest that we have researched here were the Chromosome Glitch 1.0, 2.0,
Golgi Testicles] v1.0, 2.0, 3.0, Nympho Mitosis v1.0, 2.0, and the Famous
'Memory Lapse' Virus that is Un-Removeable from Nite Owls CD-ROM shareware
disk sent to many BBS's. This Virus Chromosome Glitch virus is detectable
by adding the above signature to your scanner.
Virus Name: Murphy (Goblin) Dropper
Notes: EXE COM INF LOW
Signature: BE26018BFE8B0E08018B160201B8
[ ] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 108
All of the above scanners detect the virus above. BUT NOT the dropper for
the virus. Murphy's Goblin is A memory resident .EXE infector that does not
change dates or times on the files it infects. Some scanners scan the files
as 'Black Death'. The dropper for this virus is detectable by adding the
above signature to your scanner.
Virus Name: Blood Rage Virus
Notes: EXE COM INF
Signature: 5D81ED0301B844008EC0BF00018B
[ ] F-Prot 2.09f [ ] TBAV 6.08 [x] SCAN 108
The Blood Rage Virus is seen in heuristic mode in TBAV and F-PROT, the
signature above will report the 'Blood Rage' Virus in both of these if you
add the string to your scanner. McAfee's Scan reports the correct virus. Tbav
and F-prot report 'Probbly infected with a unknown virus'. Blood Rage will
infect .Com files when A infected file is run. The text below can be seen in
the virus code.
THE WORLD WiLL NEVER FORGETT US! -Beta Boys- Blood Rage (c)1992 The BetaBoys
Virus Name: Demo-Exe Virus Admiral Bailey [YAM]
Notes: EXE COM INF
Signature: 5D81ED03011E060E0E1F078DB653
[ ] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 108
Little is known about this virus. None of the scanners tested detected
this virus. With the above signature added to your scanner it will be
detected as the Demo-Exe Virus. This is the name given to it in the
virus code. (Demo-Exe Virus Admiral Bailey [YAM]). This is A .EXE infector
adding 334 bytes to each infected file. It will infect three .EXE files
each time an infected file is run. YAM is a virus writing group that
is (was) headed by 'Admiral Baily' Y ouths A gainst M cAfee. It seems that
Admiral Baily has left the virus world for a while and has not been heard
from (according to sources).
Virus Name: Handy Virus
Notes: COM EXE SYS INF
Signature: 8CC00500108EC0BE0001BF0000B9
[ ] F-Prot 2.09f [x] TBAV 6.08 [ ] SCAN 108
Little is known about this virus. TBAV reports unknown virus, no other
scanner can see this file. According to the code this is a .Com infector.
Tested here it seems to also infect Dos System Files. MSDOS.SYS, IBMDOS.SYS
attrib -s -h -r files. After your DOS system is infected, things will never
be the same. Error messages will come up with most every command. 'Divide
Overflow', 'System Halted', Etc... Lockups will become common with flashing
lights and error messages. By adding the above string to your scanner you
can detect this file before you have to experience all of this 'fun'.
These signature's come from Cris
Computer Research & Information Service
(708) 863-5285
* these signature's have passed all testing and worked on all
files that were infected and tested.
This virus signature can be added to F-Protect by running f-prot.exe
then use the menu to add the code below. After you add the code, be
sure to scan using the /USER switch. f-prot /user {enter}
REMEMBER F-prot will only allow 10 user sigs at a time, TBAV will allow
Over 1000.
You can also add it to TBAV by running tbgensig.exe make a text file
called usersig.dat, then make it look like below.
;
virus name
your notes here
skdjfjdh34585855 {string goes there
;
virus name
your notes here
skdjfjdh34585855 {string goes there
;
run tbgensig.exe
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQBVAgUBLOirAqM4CDusTF+9AQHGLQH/bQ4DZ48yzFu+KjEqyogWYtjO16RNbgD3
GuLtq8uGdsrDDim3HpqbvuCXk1RUa1ZFpV7EcNNIIQx0wN7wEEOWUQ==
=3xAZ
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Virus Signature Alert!
Virus Name: Iron Maiden (August 16th)
Notes: COM EXE DROP
Signature: 8CC6060B01C3EBF8B8D9C8D9BADF
[ ] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 9.20 V109
None of the above scanners see this dropper. After this dropper
infects either itself or another file it will be scannable by the
above scanners. Add the signature above and you will not have to
go through the pains of having to mess with this whole thing.
Iron Maiden will infect two files in the current directory and
then go to drive C: to infect the first two files in the root
directory. If you are running A infected file from the A: and
do not have a hard disk, your machine will lock. If there is a
hard disk the virus will infect two files in the root dir of
your C: and let the infected file continue running.
This Virus adds 636 Bytes to infected files, and does not change the
date or time.
Virus Name: [Binary Fission] v1.0 [ML/PS]
Notes: EXE COM LOW INF
Signature: BD?2B83D3DCD21353E3DBB4D5A
[ ] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 9.20 V109
None of the above scanners see this virus. Binary Fission 1.0 is
a memory resident EXE & COM infector written by Memory Lapse from a
virus writing group called Phalcon/Skism.
When a file infected with this virus is run, the virus will go memory
resident and infect any .Com or .Exe file that is opened, executed or
has any attributes changed. Files will increase 517 bytes in size.
This virus will not infect command.com even after it becomes resident,
command.com is executed. There are no time or date changes.
Virus Name: Phasor (1.0)
Notes: COM EXE LOW INF
Signature: BD?233FF8EC7BFE00126803DBD
[ ] F-Prot 2.09f [ ] TBAV 6.08 [ ] SCAN 9.20 V109
The Phasor (1.0) Virus remains resident in memory in unused portion
of Interrupt Table Starting At Offset 1E0h. When this virus goes
resident it will infect any .Com file that is run adding 230 bytes to
the infected file. There are no time or date changes on infected files.
Phasor (1.0) was written by Memory Lapse in in Toronto, ON. Canada, and
is not seen by any of the scanners above. If you add the signature above
to your scanner this virus will be detected.
These signature's come from Cris
Computer Research & Information Service
(708) 863-5285
* These signature's have passed all testing and worked on all
files that were infected and tested.
* Note: If you are using another scanner other then TBAV you may need
to change the signature. For other scanners replace ?# with the
number after ?. ?2 you would change to ????, or ?3 you would change
to ??????, and so on. Replace the ?# with double the ?'s as the number.
This virus signature can be added to F-Protect by running f-prot.exe
then use the menu to add the code below. After you add the code, be
sure to scan using the /USER switch. f-prot /user {enter}
REMEMBER F-prot will only allow 10 user sigs at a time, TBAV will allow
Over 1000.
You can also add it to TBAV by running tbgensig.exe make a text file
called usersig.dat, then make it look like below.
;
virus name
your notes here
skdjfjdh34585855 {string goes there
;
virus name
your notes here
skdjfjdh34585855 {string goes there
;
run tbgensig.exe
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQBVAgUBLO33SqM4CDusTF+9AQFP5AH8CkZKqnFhl2Ae64cUk5sxezLfmEuf6+oo
S/uAEb3rJboQlXlWCCPfEXsHXNqPG7SDwzt4fBnDGrK85hIjgThRxg==
=AWHS
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Virus Signature Alert!
- ---------------------------------------------------------------------------
Virus Name: 1984 (TaLoN)
Notes: COM EXE LOW INF
Signatures: TBAV - 33 C0 8E D8 BE ?2 FF 34 FF 74 02 C7 04
F-Prot - 33 C0 8E D8 BE ?? ?? FF 34 FF 74 02 C7 04
Scan - 33 C0 8E D8 BE ?? FF 34 FF 74 02 C7 04
[ ] F-Prot 2.10 [M] TBAV 6.08 [ ] SCAN 9.20 V109
None of the above scanners detect this Virus as of yet.
If you add the above signatures to your scanner, it will be detected.
1984 from TaLoN ... probably the world's sneakiest virus to date.
TBAV tags it in "high heuristic" mode ... NOTHING else finds it.
This virus got a write-up in the latest PC Week ... it's being spread in a hack
of SCANV109. You only need to run the hacked SCAN once and you're history ...
it hits every susceptible file on your HD in just one pass!
It can hit COM/EXE/BIN/OVL/SYS files, the MBR, and 360kB floppy boot sectors.
It has directory/file/partition stealth.
Infected files are forward-dated by 100 years.
By: Rod Fewster
- ----------------------------------------------------------------------------
Note: In our tests we find it infecting all of the above, though we did not run
the tests on the the MBR, and 360kB floppy boot sectors yet. This virus is
tricky with the stealth technology it uses. It will disinfect on the fly, so
one minute one file will be infected and the next it will not but another will
be. File size changes are not present while the virus is memory resident, but
if you look when the virus is out of memory you will see a 1979 byte change on
infected files. When the virus first goes memory resident it will look for and
demand C:\DOS\COMMAND.COM and infect this file, though it may disinfect it
latter and infect the command.com file in the root directory of the disk.
The signature above worked on all samples of infected files tested here. This
virus is not done being researched, but the signature is here so that you can
stop something that may have started in your computer already.
Michael Paris (Cris)
- --------------------------------------------------------------------------
Virus Name: Firefly Virus
Notes: COM EXE LOW INF
Signatures: TBAV - BB ?2 B9 10 01 81 37 ?2 81 77 02 ?2 83 C3 04 E2 F2
F-Prot - BB ?? ?? B9 10 01 81 37 ?? ?? 81 77 02 ?? ?? 83 C3 04 E2 F2
Scan - BB ?? B9 10 01 81 37 ?? 81 77 02 ?? 83 C3 04 E2 F2
[ ] F-Prot 2.10 [ ] TBAV 6.08 [ ] SCAN 9.20 V109
None of the above scanners can detect this virus. If you add the above
signatures to your scanner it will be detected.
The FIREFLY virus is a memory resident COM file infector. It's most
noticeable feature is the ever-changing keyboard LED's that appears when
the virus is resident in memory.
Upon execution the virus allocates approximately 4k of memory and hooks
interrupts 21h, 1Ch, and 24h. The old DOS interrupt 21h is moved to
interrupts 1h and 3h to be used in the virus to handle replication.
Interrupt 21
============
If this interrupt is called, the virus checks to see if an open, execute,
or attribute call is being made. If not, the registers are restored and
the old int 21h is called and everything appears as normal. If one of
these functions are being performed, the virus checks to see if it is
a COM file that is being looked at. If it is, the virus infects the
file. The virus also checks the filename passed to the interrupt to see
if an anti-virus program is being accessed. If it is, the virus deletes
the executable.
Interrupt 1Ch (System Timer Tick)
=================================
When this interrupt is hooked, the light show begins! The virus keeps
track of how many clock ticks have passed. When the count reaches a
certain point, the virus changes which keyboard LED's are lit. This
continues as long as the virus is memory resident. The virus also makes
your typing rather difficult since it constantly shifts between upper
and lower case.
Encryption
==========
The virus encrypts itself by using the XOR function with two randomly
generated word variables, alternating between the two variables.
Infection
=========
The first three bytes of the original COM file are stored within the virus
and replaced by a jump instruction that points to the beginning of the
virus code. Viral code is appended to the end of the COM file. The
COM files grow by 1106 bytes once infected and will appear to function
normally. The virus will not re-infect infected executables and it is
smart enough to know whether or not it is already resident.
DuWayne Bonkoski (Cris)
- ----------------------------------------------------------------------------
Virus Name: Adams Family [Men]
Notes: EXE COM LOW INF
Signatures: BB 12 01 FF 27 2A 2E 43 4F 4D 00 2D 3D 41
Virus Name: Adams Family [Wendy]
Notes: EXE COM LOW INF
Signatures: BB 12 01 FF 27 2A 2E 43 4F 4D 00 4D 63 41
Virus Name: Adams Family [Morticia]
Notes: EXE COM LOW INF
Signatures: BB 12 01 FF 27 2A 2E 43 4F 4D 00 2D 3D 90
[ ] F-Prot 2.10 [ ] TBAV 6.08 [ ] SCAN 9.20 V109
None of the above scanners can detect these viruses. If you add the above
signatures to your scanner they will be detected. The signatures above
good for all three AV scanners.
This is the "Adams Family Collection", Eight viruses total. We were
able to get most of the viruses together into one signature, these are:
Cousin It, Gomez, Lurch, Pugsley, Thing, and Uncle Fester. The other two
Morticia and Wendy have two different Signatures.
The Adams Family Collection were written by the author of A Variant of the
Butterfly virus 'Crusades'. -DeathBoy KoASP
These are Resident Com infectors. When a file infected with the Adams virus
is run it will infect other .Com files in the current directory. After the
virus infects a number of .Com files (this is A different number depending
on the virus), it will go memory resident.
While the virus was in memory i could not get it to infect another file
without running it (though it was resident). When infected files are run
they do replicate. Each file infected will change size depending on which
one is run, Gomez 1648 Bytes, Pugsley 1792 Bytes, Cousin It 1680 Bytes, etc.
This collection does warrent further research, but this is released so you
can detect this 'weird family' and know a bit about them.
Michael Paris (Cris)
- ---------------------------------------------------------------------------
These signature's come from Cris
Computer Research & Information Service
(708) 863-5285
* These signature's have passed all testing and worked on all
files that were infected and tested.
REMEMBER F-prot will only allow 10 user sigs at a time, TBAV will allow
Over 1000.
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQBVAgUBLP+AFqM4CDusTF+9AQEHbgH/Rdgwij38YcPbQWlYsFK3en57rD0x0H2d
Cb/jNnRcbjo4NhGmlOiMdhc7l3kv88wIe/Mj0Rx7+f0MkL0VjOHH/w==
=fc7i
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
You can freq a complete CRIS TBAV Update signature file from 1:115/863
with the magic name CRISTBAV
- - -----------------------------------------------------------------------
C.R.I.S. New Virus Signature Warning (CrisInfo.009)
- - -----------------------------------------------------------------------
Virus Name: [CrisSig] THCK Trojan 2_HERM
Notes: EXE COM TROJ
Signature: BE 03 01 E8 ?2 B2 ?1 E8 ?2*6 FE C2 80 FA 02
If you add the above signature to your scanner, it will be detected.
This file is a simple trojan using the Trojan Horse Construction
Kit (THCK). It seems there are several deliberate bugs in it to create
confusion. It doesn't use Int 13 properly but still accomplishes its
desired task. This is to wipe all possible floppies and hard drives
(The first 128 of each). One of the bugs regards its desired message.
This is variable in length. The desired message is used as the test to
overwrite the first 0-255 sectors of all attached disks. The message is
encrypted. The supplied signature should catch most variants
(cracks/modifications) of this without a complete rewrite of the engine.
Bill Dirks (C.R.I.S)
- - -----------------------------------------------------------------------
Virus Name: [CrisSig] LindaLou
Notes: EXE COM INF
Signature: BA 12 01 8E DA 8C 06 38 00 33 ED E8 E6 0A
Virus Name: [CrisSig] LindaLou (2)
Notes: EXE COM INF
Signature: BA 75 01 8E DA 8C 06 38 00 33 ED E8 4B 10
F-Prot 2.10C : No viruses or suspicious files/boot sectors were found.
TBAV 6.10 : no viruses found
SCAN V111 : no viruses found
If you add the above signatures to your scanner, they will be detected.
Lindalou is written by Jackel from the West Coast (Califorina). Lindalou
is a Spawning virus, if A Lindalou infected file is run it will go through
the hard disk and make .Com files for EXE files over 40K in size. No time
or date changes were noticed. No real payload was noticed either (all though
Jackel is known to add payloads to most of his code.
Michael Paris
- - -----------------------------------------------------------------------
Virus Name: [CrisSig] ANTIPRINT
Notes: COM EXE LOW INF
Signature: 00 5D 81 ED 13 00 06 1E B8 41 4E CD 21 3D 45 4D
If you add the above signature to your scanner, it will be detected.
ANTIPRINT - This virus is called AntiPrint for a good reason.
If it finds DOS's PRINT installed, it will invoke a disk overwriting
routine to overwrite the first 16 sectors of drive C:. While I
couldn't get it to run on my system the code looks like it will do
what it's suppose to do. This is a resident infecting program.
Bill Dirks (C.R.I.S)
- - -----------------------------------------------------------------------
Virus Name: [CrisSig] Zeuss
Notes: EXE COM INF
Signature: BE ?2 BA 70 01 2E 81 34 ?2 46 46 4A
F-Prot Signature: BE ?? ?? BA 70 01 2E 81 34 ?? ?? 46 46 4A
F-Prot 2.10C : No viruses or suspicious files/boot sectors were found.
TBAV 6.10 : might be infected
SCAN V111 : no viruses found
If you add the above signature to your scanner, it will be detected.
The Zeuss virus was written by Muja Dib with the help of ARiSToTLE
(so he says in his info). Zeuss is a .COM and .EXE infector that will
add 753 bytes to each infected file. It will infect command.com so files
will be infected with each boot.
"On the anniversary of ][avoks crash (the 27th of every month)
when an infected file is run, it will wipe out various tracks
of Drive C: and Drive D: and put an Zeuss fact on the screen...)"
Michael Paris (C.R.I.S)
- - -----------------------------------------------------------------------
Virus Name: [CrisSig] Trivial V6
Notes: EXE COM INF
Signature: BF FD 00 57 B8 F3 A4 AB B0 CC AA BE
Virus Name: [CrisSig] Trivial V7
Notes: COM EXE INF
Signature: B9 02 00 0E 1F 5E AD 3D 4D 5A 74 18 3D 5A
F-Prot 2.10C : No viruses or suspicious files/boot sectors were found.
(V6 says might be trivial)
TBAV 6.10 : no viruses found
SCAN V111 : no viruses found
If you add the above signature to your scanner, it will be detected.
V6 & V7 came in as .COM files V7.com and V6.com, Both are Com infectors,
V6 adding only 96 bytes to infected files and V7 416 bytes. These files
do not change time or date stamps on files and they seem to do a good job
of infecting files with one run across the drive. If you add the above
signature to your scanner you can save yourself some restore time if they
happen to make a stop on one of your disks.
Michael Paris (C.R.I.S)
- - -----------------------------------------------------------------------
ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º Computer Virus Research And Information Service º
ºÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍËÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͺ
º Michael Paris (CRIS) º Fido 1:115/863 º
º P.O BOX 508077 º Cris 77:708/0 º
º Cicero Il. 60600-8077 º Voice (708) 863-5472 º
º BBS (708) 863-5285 º FAX (708) 484-5702 º
ÉÍÍÍÊÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍ»
º FREQ These Magic Names From 1:115/863 º
º º
º FILELIST PGPKEY (CrisKey) F-PROT (Latest) º
º CRIS (Info on Cris) TBAV (Latest) VSUM (Latest) º
º NODELIST (Cris) SCAN (Latest) THDPRO (Latest) º
º CRISTBAV (TBAV CrisSig Updates) º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQBVAgUBLVXLfqM4CDusTF+9AQHe2AH+PkXzBgNNBJI7ojT6InWn+tiOEzqYne92
Vs9OhO5QUn5jwCarMBAY0JzzJDtbouC4KQk3ae7HQtf4wWwTCUb2kw==
=Ta+B
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
C.R.I.S New Virus Signature Warning! CrisInfo #011
Because of the possible destructive nature of most of the following,
I ran these on a plain XT w/Dos 5.0 & no Tsrs, etc. to see what they'll
do. It also served the purpose of running about as supseptable a system
as possible.
This is sort of rushed (72 hours)
and done without gallons of coffee & jolt so here goes.
- -----------------------------------------------------------------------
[CrisSig] Aftershock-1 Trojan/Joke
EXE TROJ
BA F9 00 8E DA 8C 06 38 00 33 ED E8 B9 0C
[CrisSig] Aftershock-2 Trojan/Joke
EXE TROJ
BA B3 01 8E DA 8C 06 4A 00 33 ED E8 2E 0F
Aftershock 1 & 2 Trojans? - These seem to be jokes. 1 will simply
"act" like it might be doing something but it doesn't do anything
besides display the number 5.2 after acting like its trashing the
hard drive. 2 simply locks the system. While the code looks and
does pick up the Int 13 & 26 code, it does nothing. I ran each of
these about 40+ times with no results of any virus or trojan activity.
This code was written in Pascal.
- -----------------------------------------------------------------------
[CrisSig] Earthquake1 Trojan
EXE XHD TROJ
80 00 0A 00 3F 00 12 00 36 04 36 A4 4C 01 00 40
[CrisSig] Earthquake2 Trojan
EXE XHD TROJ
F0 00 09 00 2C 00 0D 00 26 04 26 A4 28 01 00 40
Earthquake 1 & 2 Trojans - These are just what they claim to be,
simple trojans. Nothing remarkable about them except they were
written in Pascal and work unlike the Aftershock trojans. Part of
this code is identical to what I refer to as stepper trojans. They
start at drive ?? and work backwards to A. An interesting note is
the manner in which the header info was created. Hueristics bypass
the files. It is because of this header a signature can be made.
- -----------------------------------------------------------------------
[CrisSig] ESP
COM INF LOW
BB 16 01 CD 11 B8 ?2 BA ?1 00 2E 29 07
ESP - This is a resident companion infector of .Exe files. .EXEs will
have a companion .Com that is a mirror of the virus written. These
files are 519 bytes in length. They are hidden and read only. This
virus utilizes variable encryption. The decrypter is fairly static so
its easy to find. It appears to contain no destructive payload in this
and it only appears to replicate based upon the code. To clean a
system, simply delete the .Com campanion files found.
- -----------------------------------------------------------------------
[CrisSig] BIG_SKY {1) OR {2}
COM EXE INF
58 0E 50 51 E8 00 00 58 2D 14 00 B1 04 D3
[CrisSig] BIG_SKY {2} OR {3}
COM EXE INF
26 ?2 84 00 26 ?2 86 00 EB 1F 26 ?2 4C 00 26 ?2 4E 00
Big-Sky 1,2,3 - I couldn't get these to do anything other than lock the
system. A disassembly didn't reveal any 80x86 specific code so all I can
assume is Jackel was trying to scare people based upon his Earthquake
trojans and AfterShock jokes. The code does try to hook Int 21 as a
minimum but not really sucessfully here nor 13 & 26.
- -----------------------------------------------------------------------
[CrisSig] ITALBOY
COM EXE INF
5E 83 EE 03 B8 01 F2 CD 21 3D F2 01 74 4E
Italboy - I couldn't get this to replicate on the XT or the 486 no matter
what even though a quick glance at the code says it should work. The
following description is based upon a code analysis. This is basically
a resident .EXE file infector. It has a payload to overwrite the first
256 sectors of the hard disk. It hooks into Int 21 to trap the loading,
executing, and finding of programs. When it finds them, it will then
infect them. The provided signature may or may not work. If the message
" ITALY IS THE BEST COUNTRY IN THE WORLD " appears, your HD has
been overwritten.
- -----------------------------------------------------------------------
[CrisSig] NAKED-TRUTH
COM INF
5D 81 ED 0C 01 3E C6 86 F3 02 00 8D B6 05
Naked-Truth - This is a direct infector of Command.com and all .COMS.
It appears to do nothing other then replicate. It will attempt to
infect all .Coms in the current directory. If none are found, it will
step back through directories looking for .Coms to infect. Infected
files will show an increase in size of 451 bytes. Infected files will
continue to run. This like Italboy will overwrite the first 256
sectors of the hard disk on the 11th of any month.
- -----------------------------------------------------------------------
[CrisSig] LOCKOUT {1} OR {2}
COM EXE BOOT INF
8C C8 FA 8E D0 BC 00 7C FB 2E 83 2E 13 04
Lockout 1 & 2 - These viruses are suppose to be BR infectors. The best
I could manage was a locked system. Their lockout is based upon CMOS
changes. If you have a saved copy of your MBR/PT and CMOS, this should
present no problems.
Bill Dirks (Cris)
- -----------------------------------------------------------------------
Verified that the sig for the Jizm Trojan is a valid false alarm. Seems
the trojan was originally a .bat compiled to an executable with an unnamed .Bat
to .Com utility. I've got a new sig that's keyed on the original bat contents
instead of the main code. I ran this three times on my system and no problems.
The new sig is.
[CrisSig] JIZM TROJAN
COM EXE TROJ
64 65 62 75 67 ?4 00 57 20 31 30 30 20
Bill Dirks (Cris)
- -----------------------------------------------------------------------
Files on "SHAREWARE 1 2 THE MAXX" & "GAMES 2 THE MAXX" CD-ROM DISK!
I took a quick but decent gander at the archive. It's a nasty joker to
say the least. Unfortunately these some of these same files have been
floating around for awhile but under various names. Here's a quick rundown
of the archive contents. Those without a comment seem OK.
MWARS BAT 129 07-17-92 6:27a Runs Readthis.com
MWARS20 EXE 28758 02-15-92 2:25a
MWARS20 DOC 6729 07-17-92 6:41a
NOTE DOC 687 01-01-80 12:17a
YANG ME 130 07-17-92 4:15p
INSTALL EXE 54272 06-14-90 4:57p Trojan to kill a PCB BBS
DEMO EXE 9728 04-22-90 8:45p Trojan to trash disk.
DOMENOW COM 4176 09-24-90 9:26p
READTHIS COM 9728 04-22-90 8:45p Trojan to trash disk.
Note that demo.exe and readthis.com are identical
files but with different extensions. Sigs that will pick these up are.
REVENGE TROJAN
COM EXE UATE TROJ
BA 2A 01 2E 89 16 F8 01 B4 30 CD 21 8B 2E 02 00 8B
PCB KILLER TROJAN
EXE COM UATE TROJ
9A 00 00 99 0B 9A 87 04 E5 01 9A 9D 04 E5 01 33
Bill Dirks (Cris)
- -----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQBVAgUBLWV8b6M4CDusTF+9AQER9gIAmm/m0S8V7TYUU1kVkAd0yEpRlSqZsZvH
KKFNdFn0KEGoAoaTT+eNfxjuYTbGrOpeiM9QWn0B9uwlGs5lxE2hMg==
=yZzJ
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Virus Signature Alert!
- ---------------------------------------------------------------------
Virus Name: [CrisSig] [Data-Rape] 2.1 (Trojan)
Notes: COM EXE TROJ
Signature: BB 03 01 B5 00 B1 00 B6 00 B2 80 CD 13 73 11
[ ] F-Prot 2.10C [ ] TBAV 6.09 [ ] SCAN 9.20 V109
None of the above scanners detect this file as of yet.
If you add the above signature to your scanner, it will be detected.
This is a simple trojan and not a virus. It can be mistaken for
one though since it writes itself to the hard disk plus whatever was
in memory at the time. It was written by Zodiac and Data Disrupter
back in 1991 as part of the Rabid group.
This is part of the info that will be written to disk.
It'll attempt to overwrite no less than the first 69 sectors of
the harddisk. It'll then go after any floppy in the A drive to do
the same. Because of the manner it attempts to overwrite the hard
disk, most XT's HD's shouldn't be affected. Partly depends on the BIOS
and use of Int 13. A standard XT will not all a Long Sector write.
Bill Dirks
- ---------------------------------------------------------------------
Virus Name: [CrisSig] Sabbath {Generation 1}
Notes: COM EXE INF
Signature: 1E 75 13 B0 02 B9 20 00 33 D2 CD 26
Virus Name: [CrisSig] Sabbath
Notes: COM EXE INF
Signatures: TBAV: B9 43 03 81 3L ?2 83 02 E2 F7
SCAN: "B94303813L??8302E2F7" [Sabbath]
F-PROT: B94303813L????8302E2F7
[ ] F-Prot 2.10C [M] TBAV 6.09 [ ] SCAN 9.20 V109
This virus goes TSR. It will basically try to infect anything but the
boot sector. Doesn't matter whether it's executable or not. It does a find
first and goes after the file if not already infected. It captures the
critical error handler so it isn't obvious what it does when it messes up.
The virus will infect the first file in the directory. There are several
bugs in the code. One of them is that it will infect a file more than once.
This causes problems in detection. What will typically happen is the file
will become infected. It is easily detected at this point. Upon running it
again, it may or may not damage itself by reinfecting the same file.
Basically, if the infection is valid, the strings above will detect it.
Once the virus kills itself by damaging the file, the file is no longer
infectious or executeable but no longer detectable due to the damage.
Bill Dirks
- ---------------------------------------------------------------------
Virus Name: [CrisSig] Quadratic Equation II (Generation 1)
Notes: EXE COM LOW DROP
Signature: BD 00 00 1E 06 B4 3F BB FF FF CD 21 3D FF
Virus Name: [CrisSig] Quadratic Equation II
Notes: EXE COM LOW INF
Signatures: TBAV: BH DA 04 2E 30 ?2 E2 FA
SCAN: "BHDA042E30??E2FA" [Quadratic Equation II]
F-PROT: BH DA 04 2E 30 ?? ?? E2 FA
[M] F-Prot 2.10C [M] TBAV 6.09 [ ] SCAN 9.20 V109
None of the above scanners detect this Virus as of yet.
If you add the above signature to your scanner, it will be detected.
Quadratic Equation II is a memory resident com and exe infector that
will become memory resident when the first infected file runs. When
the virus is memory resident it will infect any com or exe file that
is run. (Including command.com) There will be no time or date changes.
Infected files will change in size 15 bytes while the virus is active
in system memory, if the virus is removed from memory the files will
show the true size change of 1285 bytes. The signatures above have been
tested and proved to work on all tested files.
Michael Paris
- ---------------------------------------------------------------------
Virus Name: [CrisSig] YB-5 (Handsome)
Notes: COM INF
Signature: EB 00 C3 8D 94 8E 01 B4 4E B9 3F 00 CD 21
[ ] F-Prot 2.10C [M] TBAV 6.09 [ ] SCAN 9.20 V109
YB-5 is a com infector that adds 466 bytes to infected files. The source
code claims "AUTHOR: Khntark; surgeon: Urnst Kouch". This virus is a
demonstrator for the YB-5 code segment. It is sufficient to get by
F-Prot's 'heuristic'mode, but does not get past TBScan's heuristic mode.
TBScan reports a possible infection.
The above signature works on all samples tested here. By adding this
signature you will be able to detect this virus and all infected files.
Michael Paris
- ---------------------------------------------------------------------
Virus Name: [CrisSig] DK - (Generation 1)
Notes: EXE COM DROP
Signature: 83 EC 10 83 E4 E0 8B EC 50 BE 05 01 03 36
Virus Name: [CrisSig] DK
Notes: EXE COM INF
Signatures: TBAV: B9 B6 01 BB ?2 2E 81 07 ?2 83 C3 02 E2 F6
SCAN: "B9B601BB??2E8107??83C302E2F6" [DK]
F-PROT: B9B601BB????2E8107????83C302E2F6
[ ] F-Prot 2.10C [M] TBAV 6.09 [ ] SCAN 9.20 V109
Note: The first generation signature is known to give a false positive
in some cases, The DK infection has been tested with none. Both signatures
worked on all files infected and tested here.
The DK virus is a encrypting, non-memory resident, non stealth virus
The first time a file infected with the DK virus is executed the systems
date will be changed to 1994 and two files in the current directory will be
infected, one EXE and one COM. If the virus can't find two uninfected files
then it will search for alternate directories. The DK virus is no real
threat because it does no real damage except infecting files which currently
have to be deleted to clean the virus off of the system and change in the
system date from XX/XX/XXXX to XX/XX/1994. Due to this fact the viruses
presence can be easily detected also Viruscan identifies it as the TridenT
virus.
I have created a signature for this virus which can easily detect it
by using McAfees Viruscan. This signature is "B9B601BB??2E8107??83C302E2F6"
these are the bytes which remain constent after the encryption of the virus
each time. I have tested it and it doesn't seem to have any conflicts with
any other programs.
Shaun Debow
- ---------------------------------------------------------------------
These signature's come from Cris
Computer Research & Information Service
(708) 863-5285 (BBS)
* These signature's have passed all testing and worked on all
files that were infected and tested.
REMEMBER F-prot will only allow 10 user sigs at a time, Scan under 250
TBAV will allow Over 1,500.
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQBVAgUBLR6AhqM4CDusTF+9AQGbaQH/Zo64j/KsVJcjUX4rayxYZQXaILvJlCRW
I9LUNA0J3YxYj/Wrz3gmECUU+bohF9U3IK73ZiNUQTnUdvpTR1ZqnA==
=raZ2
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
C.R.I.S. New Virus Signature Warning (CrisInfo.008)
- -------------------------------------------------------------------------
Virus Name: [CrisSig] Acid Trip
Notes: EXE COM LOW INF
Signature: 81 F9 00 0C 75 21 B4 0F CD 10 3C 03 75 19
If you add the above signature to your scanner, it will be detected.
F-Prot 2.10C : No viruses or suspicious files/boot sectors were found.
TBAV 6.10 : No viruses found.
SCAN V111 : No viruses found.
Acid Trip is a resident .EXE infector. (You will need to include .COM
infection if you want it to pick up to original Acid Trip). It infects upon
file execution. Infected files will have a file size increase of 694 bytes,
however this increase will be hidden while the virus is resident in memory.
The Acid Trip virus will at 12:00pm of any day cause the monitor to rapidly
scroll through the color pallete. It will display the following message"
Your PC is on an [Acid Trip]... try again later...
However on the test system the virus just displayed the message and then
hung the system, so you might get varied results on varied hardware. The
virus contains no intentionally damaging code. The virus contains the
following messages:
Crypt Keeper P/S Your PC is on an [Acid Trip]... Try again later...
William Chapman [Cris]
- -------------------------------------------------------------------------
Virus Name: Greetings Virus
Notes: COM EXE LOW INF
Signature: E8 00 00 5D 81 ED 03 00 E8
If you add the above signature to your scanner, it will be detected.
Scanning Results
- -------------------------------------------------------------------------
TBAV 6.10 - Undetected
Mcafee's ViruScan Version 111 - Undetected
File had to be deleted
Norton Antivirus Version 3.0 - Undetected
File had to be deleted
F-Prot Ver 2.10c - Unknown Virus (Original File Only)
Note: Infected Files Not Detected
File had to be deleted
Virus Terminator - Undetected
File had to be deleted
VirusCure - Undetected
File had to be deleted
- -------------------------------------------------------------------------
Extra Information Found on Greetings Virus
- -------------------------------------------------------------------------
Virus : The Greetings Virus
Author / Modification By : Admiral Bailey
Language Used : Assembly Language [TASM 2.0]
Type of Virus : Encrypted TSR com/exe infector.
Date Of Release : 1-2-93
- -------------------------------------------------------------------------
Some Notes:
This is a TSR com/exe infector. Between certain times it will display
a bouncing ball. Both on graphics (which it will ruin) and in text.
When you reboot during a certain time it shall display a certain messege.
Researchers Notes
The Greetings virus infects Com and Exe files and is memory resident. The
virus uses 2.2 K of RAM. On execution of the original virus Com file, the
words (Hello World...) will be displayed. Interrupts hooked are 08,09, and
21. The Greetings virus will infect the Command.Com file if executed. The
words (Hello World...) can't be found in infected files or in memory.
- --------------------------------------------------------------------------
Interrupt 08 System Timer.
Interrupt 09 Keyboard Hardware.
This Interrupt is invoked anytime a key is pressed and released.
The Greetings virus will lock up the keyboard.
Interrupt 21 DOS Functions. Allows the virus to use over 100 functions.
Infection
Infected Com and Exe files will have an increase in file size of 1,118
bytes. The virus will only infect the Command.Com file if executed.
Infected files have no change to date and time.
Encryption
Encryption by this virus is fairly good, but the scan string below
for TBAV will detect all files infected with the Greeting virus.
(including encrypted files and original virus com file)
Testing
The only signs of infection by the Greetings virus is file growth and
memory loss of 2.2k.
Summary
Greetings is a typical computer virus. Nothing unusual occured during
testing. According to the text that the virus came with, a ball will be
displayed on the screen. I changed the date and time around some, but
still couldn't activate it. I wasn't really impressed, but of course
my idea of a great virus would be one that reaches out of the screen
and grabs you by the neck. A virtual reality virus maybe. Just kidding.
Prosperous Researching.
Larry Shultz (C.R.I.S)
- -------------------------------------------------------------------------
Virus Name: [CrisSig] CMAGIC/fx
Notes: COM INF LOW
Signature: 5D 81 ED 13 00 8B F5 81 C6 0E 00 8A 14 8A 64 01 8B
F-Prot 2.10C : No viruses or suspicious files/boot sectors were found.
TBAV 6.10 : seems to be infected by an unknown virus.
SCAN V111 : No viruses found.
If you add the above signature to your scanner, it will be detected.
- -------------------------------------------------------------------------
This virus is a resident .COM infector. It will hook the 21st interupt and
infect any .COM file opened. It appears to contain no destructive code. The
virus is fairly noticable because it makes noises from the PC speaker. These
noises concist of a couple different sounds which last about 5 seconds.
Infected file will have a growth of 2015 bytes however the virus will hide its
size during a directory command while resident in memory. The virus contains
the following message -- [CMAGIC/fx] By Mnemonix V 1.00 1994
William Chapman (C.R.I.S)
- --------------------------------------------------------------------------
Virus Name: [CrisSig] JIZM TROJAN
Notes: COM EXE TROJ
Signature: 8B D6 33 C9 B8 02 3C 0B FF 74 02 FE C4 CD 21
If you add the above signature to your scanner, it will be detected.
666-JIZM - contains three files. INSTAL_C.COM, YANKEES.COM and
TROJAN.COM. The first two files are simply The Draw saved screens and are
harmless. The file Trojan.com is a trojan to overwrite the first sector of
drive C: by calling and using debug to create and run a file. It goes
under the premise of updating certain The Draw functions. The file is
easily hackable and the signature included takes this into account.
Bill Dirks (C.R.I.S)
- --------------------------------------------------------------------------
Virus Name: [CrisSig] ENEMY or [ACIDTRIP]
Notes: COM EXE LOW INF
Signature: 8E C0 48 8E D8 C7 06 01 00 08 00 EB 14 58 50 8E C0
If you add the above signature to your scanner, it will be detected.
This is the Enemy Within virus written by Crypt Keeper of P/S.
This is a resident infector of programs. It hooks Int 21 when it goes TSR
and monitors 2F. It does a call to an undefined function to determine it's
presence. It also leaves a file marker to determine infected files. It infects
.EXE's only with a file increase of 644 bytes. Memory is reduced by 1040 bytes.
This program is semi-stealth insomuch while TSR, infected file sizes look the
same, file date/time stamps remain unchanged and it seems it performed its
infections normally after a file terminates execution. This appears to be done
with the PS-MPC or similar virus construction kit.
ACIDTRIP - The Acid Trip virus written by Crypt Keeper of P/S. is virtually
identical to the Enemy Within virus except it is suppose display a msg to
the screen. File increase is 694 bytes and memory is reduced by 1364 bytes.
Bill Dirks (C.R.I.S)
- --------------------------------------------------------------------------
ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º Computer Virus Research And Information Service º
ºÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍËÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͺ
º Michael Paris (CRIS) º Fido 1:115/863 º
º P.O BOX 508077 º Cris 77:708/0 º
º Cicero Il. 60600-8077 º Voice (708) 863-5472 º
º BBS (708) 863-5285 º FAX (708) 484-5702 º
ÉÍÍÍÊÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍ»
º FREQ These Magic Names From 1:115/863 º
º º
º FILELIST PGPKEY (CrisKey) F-PROT (Latest) º
º CRIS (Info on Cris) TBAV (Latest) VSUM (Latest) º
º NODELIST (Cris) SCAN (Latest) THDPRO (Latest) º
º CRISTBAV (TBAV CrisSig Updates) º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQBVAgUBLVWE46M4CDusTF+9AQGQUAH/Shz56Rds37PSa032jhFF+C1WlmeiXQ6k
Uu+5yeXK0FYeOACM13dQ+9xp0JP/kezraxsLh0dMi4+BTjMVMB4+aQ==
=60gD
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
C.R.I.S. New Viruses - Signature Warning
- - ------------------------------------------------------------------------------
Virus Name: [CrisSig] Dieted Nichols Dropper
Notes: COM EXE DROP
Signature: 73 F3 A6 C3 E4 E3 FF 11 02 E9 CD 20
Virus Name: [CrisSig] New Nichols
Notes: BOOT INF
Signature: TBAV EB 23 ?@23 FA 33 C0 8E D0
SCAN EB 23 *(23) FA 33 C0 8E D0
F-Prot 2.10C : No viruses or suspicious files/boot sectors were found.
TBAV 6.10 : Infected items: 00
SCAN V109 : No viruses found.
If you add the above signature to your scanner, it will be detected.
- - ------------------------------------------------------------------------------
NICHOLSD -
This is the dropper for the Nichols virus. It will infect the MBR
of floppies. Once done, infected floppies will infect hard disks. It stores
the original boot sector so the system remains bootable. It was written by
Apache (of ARCV?). It seems to have no payload and is only meant as a
nuisanse. The dropper program is Dieted. The virus itself is not encrypted.
It will momentarily display [Nichols] by Apache.
Bill Dirks (C.R.I.S)
- - ------------------------------------------------------------------------------
Virus Name: [CrisSig] Addict9
Notes: COM EXE LOW INF
Signature: 2E A1 6C 05 2E 0B 06 6E 05 58 75 07 9C 2E
F-Prot 2.10C : Infection: _1364 - Modified (700 extra bytes)
TBAV 6.10 : probably infected by an unknown virus
SCAN V109 : No viruses found.
If you add the above signature to your scanner, it will be detected.
- - ------------------------------------------------------------------------------
ADDICT9 -
This is a resident infector of executables to include Command.Com. It
will infect .COM & .EXE files and leave them runnable.
It does have a payload and unique activation routine. As the virus passes
from one machine to another, it stores and compares BIOS data. When it is
on a new machine, it increments an internal counter which is saved. After
255 seperate machine infections, a routine to overwrite the first 64
sectors of drive C will be called. Infected files increase in size by
1364 bytes. The original date/time stamp is maintained. The virus will
tunnel to get the original INT 21 but doesn't employ any real stealth
techniques.
Bill Dirks (C.R.I.S)
- - ------------------------------------------------------------------------------
Virus Name: [CrisSi
g] 44 {43} Trivial
Notes: COM INF
Signature: B4 4E 33 C9 BA 25 01 CD 21 B8 02 3D BA 9E
F-Prot 2.10 : Seems to be infected by an unknown virus.
TBAV 6.10 : Infected by Trivial {1}
SCAN V108 : No viruses found.
If you add the above signature to your scanner, it will be detected.
44{43} Trivial is a non-resident .C* overwriting virus which is greater than
43 bytes in size. The source code claims that the virus is 44 bytes however
when compiled it is acutally only 43. The virus does have a bug that upon
execution it does infect all .C* files in the directory, but it prints garbage
(actually itself) to the screen and the the system hangs.
It was written by Dark Helment.
William Chapman (C.R.I.S)
- - ------------------------------------------------------------------------------
Virus Name: [CrisSig] MAX
Notes: COM EXE BOOT INF
Signature: E8 03 00 ?3 5D 0E 16 58 59 33 C8 75 37 B8 01 02
F-Prot 2.10C : No viruses or suspicious files/boot sectors were found.
TBAV 6.10 : probably infected by an unknown virus
SCAN V109 : No viruses found.
If you add the above signature to your scanner, it will be detected.
This virus is a funny little thing. For how simple it is, it has kept our
researchers busy. MAX is a new virus from Memory Lapse [P/S]. When first
sent to us it had some claims that we had to check out right away. First
it was sent up as a simple memory resident .COM infector. One researcher
had a quick look at it and said [BOOT VIRUS].
Later we were told that it would format a drive on 10/29. We checked this
out to be not true. Memory Lapse has out done himself with this one, his
pratice on all of those 'clean programmed' .com and .exe memory resident
viruses has brought him to the place of writing something new, and here
it is ... There were many other claims and false panic alarms on this file,
but here is the scoop.
MAX - Once a dropper file is run on the PC this file will infect the MBR of
the hard disk. The virus will not go memory resident at this time, nor will
it infect any files. Once the machine is rebooted the virus will go memory
resident and start infecting .COM files adding 347 bytes to infected files.
There will be no time or date changes on infected files. Note also that it
worked here just fine on all machines tested. Also with different versions
of DOS we had no problems infecting bait files. This virus spreads like wild
fire. One researcher here had a problem making it work on his IBM XT eith two
different versions of DOS. (Everyone else testing it using AT's with no
problem at all)
The signature above will detect the virus both in the MBR and ALL infected
files on the hard disk.
Michael Paris (C.R.I.S)
- - ------------------------------------------------------------------------------
ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º Computer Virus Research And Information Service º
ºÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍËÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͺ
º Michael Paris (CRIS) º Fido 1:115/863 º
º P.O BOX 508077 º Cris 77:708/0 º
º Cicero Il. 60600-8077 º Voice (708) 863-5472 º
º BBS (708) 863-5285 º FAX (708) 484-5702 º
ÉÍÍÍÊÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍ»
º FREQ These Magic Names From 1:115/863 º
º º
º FILELIST PGPKEY (CrisKey) F-PROT (Latest) º
º CRIS (Info on Cris) TBAV (Latest) VSUM (Latest) º
º NODELIST (Cris) SCAN (Latest) THDPRO (Latest) º
º CRISTBAV (TBAV CrisSig Updates) CRISMCAF (SCAN CrisSig) º
ÓÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQBVAgUBLTuEfqM4CDusTF+9AQEX/wH8DFmLyPtbrZSPc6ibxxTEsWPm+ehPJTvp
UeEIlrmw4vRYqgvGTvcIFXMeTsuNlcrEK/FeIsqpAx7G1K7cz5/x0g==
=t+GS
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
New Virus - Signature Warning
- - ------------------------------------------------------------------------------
Virus Name: [CrisSig] Jackel5a
Notes: COM EXE ATE INF
Signature: 0E ?3 0l ?6 Ch
F-Prot 2.10C : No viruses or suspicious files/boot sectors were found.
TBAV 6.10 : No viruses found.
SCAN V109 : Infected items: 00
If you add the above signature to your scanner, it will be detected.
- - ------------------------------------------------------------------------------
JACKEL5A -
This is a simple dropper that really doesn't spread well at all. The only
file I could get it to infect was format.com and files that called/used it.
The threat from this spreading on a system is practically nil due to bugs in
the code. It will however do quite a few things well that are noteworthy.
Namely, they open you up to other virus attacks. It will upon execution
disable Central Points resident AV code (VSAFE and probably also MSAV by MS).
It will then delete the following files created by other AV packages.
Antivir.dat, Chklist.cps, *._??, and Scanval.val. It also has a null routine
to activate a yet to be included routine on the 13th of any month.
Also, this thing looks for it's own signature effectively in files and
memory, but it won't prevent multiple reinfections of an already
infected file 50% of the time.
Bill Dirks (C.R.I.S)
- - ------------------------------------------------------------------------------
Virus Name: [CrisSig] Mordor File infector
Notes: COM EXE BOOT HIGH INF
Signature: 0E 1F BF 1A 01 80 3D BA 74 10 B9 56 04 BF 1A 01
Virus Name: [CrisSig] Mordor Boot infector
Notes: BOOT INF
Signature: 9C 50 51 52 1E 06 B4 CD 1A 80
F-Prot 2.10C : No viruses or suspicious files/boot sectors were found.
TBAV 6.10 : infected by Mordor virus
SCAN V109 : No viruses found.
If you add the above signature to your scanner, it will be detected.
- - ------------------------------------------------------------------------------
MORDOR - This is a nasty little virus. It is encrypted but keeps a fairly
static decryptor. It starts off by disabling VSAFE/VWATCH. It then checks to
see if it is resident. It does this by checking Int 21-DA which is normally
used by Basic/Basica. It will go upon various factors, while resident and at
other times remove itself. When it goes resident, you will normally lose the
function of the highest placed TSR/Driver. SCSI users will probably lose access
to their SCSI devices when Mordor is active due to the area it overwrites as a
work area (TOM). Possible video skewing also. When active, it will overwrite
code starting at segment 9F80. On March 31st it will display a message. If you
see this message it is important. The following day/month, April will activate
it's destruction routine. This routine will overwrite tracks 0-17 on heads 0-4
with whatever info is sitting in 5000:5000 in memory. It will reboot (semi-
cold) the system at this time using the infection code to ensure complete
obliteration of data (FAT+). It looks like it will infect/overwrite any
executable. It does trap Int 21 (Dos services) & 24 (Critical Error Handler).
Except for Mar 31st and the month of April, it appears to try and do nothing
other than spread. Multidisk systems should only have drive C (1st hard disk)
affected by the destruction routine since their is no drive stepping routine.
Fromn the routines I saw, it can best be desribed as semi-stealth.
Bill Dirks (C.R.I.S)
- - ------------------------------------------------------------------------------
Virus Name: [CrisSig] Dementia Pracecox 2.0
Notes: COM INF
Signature: 5D 81 ED 14 01 8B F5 81 C6 38 01 8B DD 81
F-Prot 2.10 : No viruses or suspicious files/boot sectors were found.
TBAV 6.10 : probably infected by an unknown virus
SCAN V108 : No viruses found.
If you add the above signature to your scanner, it will be detected.
Dementia is a non-resident infector of .COM files that will change
infected files 609 bytes. Dementia 2.0 will also infect all .COM files
in the directory one up from the current directory with no date or time
changes made to infected files. This virus contains the message [DR/2]
Dementia Praecox by Mnemonix
William Chapman (C.R.I.S)
- - ------------------------------------------------------------------------------
Virus Name: [CrisSig] PET (ARCV) TROJAN
Notes: COM EXE ATE DROP
Signature: 90 90 BA AC 02 33 C9 B8 02 3C CD 21 93 B4 40
Virus Name: [CrisSig] PET (ARCV) TROJAN
Notes: COM FND TROJ
Signature: B0 02 B9 FF 00 33 D2 CD 26 B0 03
F-Prot 2.10C : No viruses or suspicious files/boot sectors were found.
TBAV 6.10 : Infected items: 00
SCAN V109 : No viruses found.
If you add the above signature to your scanner, it will be detected.
- - ------------------------------------------------------------------------------
PET -
This is more a trojan than a virus. The only files it will actually
infect in any matter is a:\command.com , a:\dos\command.com , and
a:\windows\win.com. It does this by truncating the files and trojanizing
them. The new file length is about 38bytes. The trojan code is designed to
overwrite the first 255 sectors of drives C thru F.
Bill Dirks (C.R.I.S)
- - ------------------------------------------------------------------------------
Virus Name: [CrisSig] HSPAWN
Notes: COM INF
Signature: E9 01 02 AC 0A C0 75 FB 81 7C FC 45 58 74 3E 81
F-Prot 2.10C : No viruses or suspicious files/boot sectors were found.
TBAV 6.10 : Infected items: 00
SCAN V109 : No viruses found.
If you add the above signature to your scanner, it will be detected.
- - ------------------------------------------------------------------------------
HSPAWN -
This is a very agressive resident spawning/companion type virus. When an
.EXE file is executed, a companion .COM is created containing an exact
image of the virus. The size of these files is 1115 bytes and are hidden.
This virus does incorporate some stealth techniques that prevent most
TSR AV software from detecting it's presence and actions while active. It
is a little picky about its environment. Depending upon device drivers
loaded, it may lock the system when it attempts to go TSR. Cleaning a
system of this involves deleting all the hidden .COMs created.
Bill Dirks (C.R.I.S)
- - ------------------------------------------------------------------------------
Virus Name: [CrisSig] OSPRING - (First Generation)
Notes: COM EXE INF LOW
Signature: BB 11 01 53 C3 E9 E9 20 BB 11 01 53 C3 E9 E9 36
Virus Name: [CrisSig] OSPRING (089)
Notes: COM EXE INF LOW
Signature: ?1 09 ?2 C3 E9 E9 ?2 BH 37 ?1 90
F-Prot 2.10C : No viruses or suspicious files/boot sectors were found.
TBAV 6.10 : Infected items: 00
SCAN V109 : No viruses found.
If you add the above signature to your scanner, it will be detected.
- - ------------------------------------------------------------------------------
OSPRING - This is a resident direct infector of .COM files and a spawns
companion .COMs for .EXE files. It uses a variable encryption scheme and
generates a certain amount of polymorphism. It was intentionally designed to
attempt to bypass hueristic scanning. File size increases of .COM file
infections varies and is typically around 1570 bytes. Spawned .COMs are an
image of the virus and appx. the same length. Spawned companion .COM files are
made read only and hidden. 5 files will be infected each time an infected file
is run. It is semi-stealthy. No real tunneling. Files will retain their
original date/time stamp and by using hidden companion .Com files, a little
hard to detect. It will kill Antivir.dat and Chklist.* files. It will not
infect Command.Com.
Bill Dirks (C.R.I.S)
- - ------------------------------------------------------------------------------
ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º Computer Virus Research And Information Service º
ºÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍËÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͺ
º Michael Paris (CRIS) º Fido 1:115/863 º
º P.O BOX 508077 º Cris 77:708/0 º
º Cicero Il. 60600-8077 º Voice (708) 863-5472 º
º BBS (708) 863-5285 º FAX (708) 484-5702 º
ÉÍÍÍÊÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍ»
º FREQ These Magic Names From 1:115/863 º
º º
º FILELIST PGPKEY (CrisKey) F-PROT (Latest) º
º CRIS (Info on Cris) TBAV (Latest) VSUM (Latest) º
º NODELIST (Cris) SCAN (Latest) THDPRO (Latest) º
º CRISTBAV (TBAV CrisSig Updates) CRISMCAF (SCAN CrisSig) º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
- -----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQBVAgUBLTuBnqM4CDusTF+9AQFYzQH8D9UoT/qpTIQoHwX5ue2p2U7n4VMCx6dN
77MgIr+RtqG+otmMAe6muutt9PcwESLjXESEbx5x3EUsrhCsItU/3A==
=Hq0x
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQBVAgUBLTuEhqM4CDusTF+9AQFT2gH/ffwdf9uwtT9b6NEqJe31YfnUC4DHoOSF
NKlEbejobhPjyAdF0abKcvDLB8NXO4Rn6/3nquZNwYR3cARUsKncoA==
=jklc
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
- ------------------------------------------------------------------------
C.R.I.S. New Virus Signature Warning (CrisInfo.013)
- ------------------------------------------------------------------------
You can freq a complete CRIS TBAV Update signature file from 1:115/863
with the magic name CRISTBAV (Works With REGISTERED VERISONS ONLY)
CrisSigs are made at no charge to anyone that wants to use them. They
are not ment as positive 100% infection protection. CrisSigs serve the
user that wants to have that 'extra' protection until the virus is added
to the scanner they are using.
In the history of CrisSigs there have been (3) signatures that have given
warnings on files that were not infected but claimed to be on some files
that were scanned. By using CrisSigs the chance is there to get a false
virus warning but we feel it is better safe then the chance of loosing
your files or hard disk.
All of the CrisSigs have been tested to work on the viruses below and
have been tested for false alarms and found none.
Michael Paris [Cris Staff]
- ------------------------------------------------------------------------
Virus Name: [CrisSig] Skid-Row
Notes: EXE COM LOW INF
Signature: B4 0D CD 21 B4 52 CD 21 FC 26 C5 77 12 C5
F-Prot 2.11 : No virus found
TBAV 6.12 : May be infected by an unknown virus
SCAN V113 : No Virus found
If you add the above signature to your scanner, it will be detected.
First I must say that I truely enjoyed researching this little bugger. It
is a very smart little virus. Upon execution of the infected drop file
nothing out of the ordinary happened. No bait files show alteration, nor
did any other file for that matter. The TRS scanner did not go off, nor
was there a change in memory size or status. A dud, NO WAY! Scanning the
drive again with various scanners (ones on the HD at time of execution)
showed no changes anywhere on the hard drive. So I rebooted and ran TBAV
from a protected diskette and found that all EXE's were indeed infected and
changed. There was no change however in the size or date/time stamp of any
files. EXE's were infected all over the HD, however NO bait files were
infected at all. The virus showed no interest in any COM file including
COMMAND.COM.
Rebooting again I ran the infected files to observe activity. Qdos was
the file run. At this time the virus displayed the text below.
This is Skid_Row Virus
Written by Dark Slayer
* in Keelung. Taiwan*
It did appear to cause the system to hang a few times, I am however not
sure whether the virus caused this, or if it was just the old XT that was
being used to test.
The virus does go memory resident, even though no TSR's would detect it,
because after termination of infected programs, the message screen will
intermittently appear. Always when a drive is changed. (A: B: C: etc)
At this point I extracted a string to test out. The string was install in
TBAV and the harddrive was planted with more files (clean) and few odd
virii. The string identified all the infected file and gave no false
alarms. Next I rebooted and compiled the string into TBAV on the hard drive
and ran the scan again. SHIDROW would not scan. The other virii on the
drive, including some that were user defined, scanned but not Skid-Row. It
seems to be full stealth once it becomes resident. Rescanning from a
write protected disk showed that all the files were indeed still infected..
The original infected file SKIDROW.COM after execution became memory resident
and no longer showed infection.
Art Mason [Cris]
More on Skid Row by: Staale Fagerland
This virus, both in its a and b version, uses the old beast technique for
hiding itself in memory. One buffer is unlatched from the dos buffer pool
and taken by the virus.
It is a fast infector, infecting on open as well as on execute. This means
that if you scan with this virus in memory, all eligible files opened by the
scanner will be infected - if your scanner is not able to see it in memory
and stop before it starts opening files.
The virus infects nothing but exe-files with enough space for it in the
exe header. No file growth, and no infection of com files. But infected
exe-files will after infection have a com structure.
It is also a stealth virus, disinfectiong on the fly. It seems to use
int13 for both the stealth functions and the infection routine. Int13
is hooked, but not directly.
Some quick ways to determine if you have this one in memory:
1. Look at the dropper with a file browser such as list. If it is
active, you will not be able to see the virus code.
2. Count the dos buffers. If the virus is up and running, you will
have one less than you thought you had.
3. If you use a good memory tool, such as MAM, you will see int13
pointing both at the dos buffer pool _and_ at HMA. Dead giveaway.
Regards
StF
- -----------------------------------------------------------------------------
Virus Name: [CrisSig Covina
Notes: EXE COM TROJ
Signature: FC 06 1E 0E 8C C8 01 06 35 01 BA 85 00 03
F-Prot 2.11 : No viruses or suspicious files/boot sectors were found.
TBAV 6.12 : Nothing
SCAN V113 : No viruses found.
If you add the above signature to your scanner, it will be detected.
The Covina Trojan:
This is a Trojan that adds a line to the end of the autoexec.bat file
to do an unconditional format of the hard disk. When the file run it
will search for the autoexec.bat file on the C: drive and update it with
the command needed. This trojan was written by someone named Super Tanker.
Michael Paris [Cris]
- -----------------------------------------------------------------------------
Virus Name: [CrisSig] Yesturday Once More [YOM]
Notes: EXE COM INF
Signature: 5D 81 ED 0D 01 E8 25 01 B8 53 46 E8 A0 01
F-Prot 2.11 : No viruses or suspicious files/boot sectors were found.
TBAV 6.12 : probably infected by an unknown virus
SCAN V113 : No viruses found.
If you add the above signature to your scanner, it will be detected.
The YOM virus was written in Finland by Pepper, it is suposed to be his
first non-overwriting virus. This file was written 01-April-94.
Files will change in size 529 bytes but no time or date changes at all.
According to the programmer this virus has 256 different forms of mutation.
All the texts and some parts of code are mutated. Number #00 of mutations
is the unmutated virus.
Infects COM-files, within the length of 123-63999 bytes. Doesn't infect
command.com. Uses dotdot-method. Infects 2 files from every directory
from current one to root directory. Checks for previous infection,
Restores date and time stamps, deinits VIRSTOP, Displays a text message
'yesterday once more' every 128th time run and backs up clock by one day.
Michael Paris [Cris]
- -----------------------------------------------------------------------------
ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º Computer Virus Research And Information Service º
ºÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍËÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͺ
º Michael Paris (CRIS) º Fido 1:115/863 º
º P.O BOX 508077 º Cris 77:708/0 º
º Cicero Il. 60650-8077 º Voice (708) 863-5472 º
º BBS (708) 863-5285 º FAX (708) 484-5702 º
ÉÍÍÍÊÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍ»
º FREQ These Magic Names From 1:115/863 º
º º
º FILELIST PGPKEY (CrisKey) F-PROT (Latest) º
º CRIS (Info on Cris) TBAV (Latest) VSUM (Latest) º
º NODELIST (Cris) SCAN (Latest) THDPRO (Latest) º
º CRISTBAV (TBAV CrisSig Updates) º
ÓÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQBVAgUBLaw4H6M4CDusTF+9AQGmugIArmWkGZpd06NE5uuaFIkAofTYCsiV6/vD
cLZWSHstrFFVT4+ISlHytJti7H6aHRDEwpfOZIZpmnKxwvSrfmpppg==
=lZLu
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
You can freq a complete CRIS TBAV Update signature file from 1:115/863
with the magic name CRISTBAV (Works With REGISTERED VERISONS ONLY)
- ------------------------------------------------------------------------
C.R.I.S. New Virus Signature Warning (CrisInfo.012)
- ------------------------------------------------------------------------
Virus Name: [CrisSig] Rubbit V1.0
Notes: COM EXE LOW INF
Signature: BE 03 01 8B 0C 51 33 C0 8E C0 26 80 3E FC
This signature form will work with any signature format for different scanners
F-Prot 2.11 : No viruses or suspicious files/boot sectors were found.
TBAV 6.11 : No Viruses found!
SCAN V112 : No viruses found!
If you add the above signature to your scanner, it will be detected.
Rubbit 1.0 is a memory resident COM infector that adds 681 bytes to
infected files. When the virus goes memory resident it will infect
any file that is run. According the the virus code this virus was
written by Peter Ferng.
Michael Paris (C.R.I.S)
- ------------------------------------------------------------------------
Virus Name: [CrisSig] Terminator
Notes: EXE COM LOW INF
Signature: 1E 0E 1F 06 B4 52 CD 21 26 8E 47 FE 26 80
This signature form will work with any signature format for different scanners
F-Prot 2.11 : No viruses or suspicious files/boot sectors were found.
TBAV 6.11 : No Viruses found!
SCAN V112 : No viruses found!
If you add the above signature to your scanner, it will be detected.
The Terminator virus ia a memory resident EXE infector that will get
past most memory resident protection. After the virus becomes memory
resident it will infect any .EXE file that is run. It will add 904
bytes to infected files. After a number of infections it will display
a graphic screen saying ....
Don't be afraid.
I am a very kind virus.
You have do many works today.
So,
I will let your computer slow down.
Have a nice day,
Goodbye.
Press a key to continue. . .
Michael Paris (C.R.I.S)
- ------------------------------------------------------------------------
Virus Name: [CrisSig] Oracle
Notes: EXE COM INF LOW
Signature: 5D 81 ED 22 00 1E 33 C0 8E C0 48 33 FF B9
F-Prot 2.11 : New variant of Golgi
TBAV 6.11 : probably infected by an unknown virus.
SCAN V112 : No virus found
If you add the above signature to your scanner, it will be detected.
Oracle is a memory resident .COM and .EXE infector. Infected files will
have the size of the file increased by 997 bytes. This size increase will
be hidden if the virus is active in memory. Oracle hooks the 21st interupt
and infects files upon execution. However, On the test system the virus
would infect files, however sometimes had problems executing files. The
following occurences happend while testing. All memory mappers did not work,
any file viewer had eratic behavior, and one larger program received an out
of memory error. The virus does create a drive error when attempting to write
to a write protected floppy disk.
The virus contains the following messages:
[Oracle] by Mnemonix
William Chapman (CRiS)
- ------------------------------------------------------------------------
Virus Name: Offspring 0.7
Notes: COM INF LOW
Signatures:
TBAV: [CrisSig] Offspring 0.7
COM INFO LOW
B9 ?1 02 ?1 81 35 *6 47 *5 47 90 *3 E2 F2 C3
Scan: "B9?02?8135*(6)47*(5)4790*(3)E2F2C3" [CrisSig] Offspring 0.7
F-Prot 2.11 : Scanned with Heuristics ON.
21 of the infected 37 scanned as:
"possibly a new variant of Trident"
16 of the infected 37 scanned as both
"possibly a new variant of Trident"
"seems to be infected with an unknown virus"
TBAV 6.11 : Scanned with High Heuristics ON
3 of the 37 scanned as:
"seems to be infected with an unknown virus"
SCAN V112 : 5 of the 37 scanned as Offspring
2 of the 37 scanned as Trident
1 of the 37 scanned as FamN
If you add the above signature to your scanner, it will be detected.
Offspring is a memory resident virus. This virus loads into memory and
hooks the 21st interupt. It will infect files when the directory is
changed. It will infect 5 files in the current directory (the directory
the it is leaving). First it will spawn from all .EXE files creating
hidden .COM files which are 1294 bytes in size. After all of the .EXE
files have had .COM files spawned it will then infect .COM files. It
appends itself to the end of the .COM files. The virus is encrypted and
uses an ecncryption routine which throws in NOP's to make the encryption
routine more difficult to use an easier signature on. The virus contains
the follwing messages while in memory. The files are encrypted and the
message is not visible:
"Thank you for providing me with a safe place to live Offspring 0.7"
"*.COM"
"*.EXE"
William Chapman (C.R.I.S)
- ------------------------------------------------------------------------
ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
º Computer Virus Research And Information Service º
ºÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍËÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͺ
º Michael Paris (CRIS) º Fido 1:115/863 º
º P.O BOX 508077 º Cris 77:708/0 º
º Cicero Il. 60650-8077 º Voice (708) 863-5472 º
º BBS (708) 863-5285 º crisadm@netcom.com º
ÉÍÍÍÊÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÊÍÍÍ»
º FREQ These Magic Names From 1:115/863 º
º º
º FILELIST PGPKEY (CrisKey) F-PROT (Latest) º
º CRIS (Info on Cris) TBAV (Latest) VSUM (Latest) º
º NODELIST (Cris) SCAN (Latest) THDPRO (Latest) º
º CRISTBAV (TBAV CrisSig Updates - REGISTERED USERS ONLY) º
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
-----BEGIN PGP SIGNATURE-----
Version: 2.3a
iQBVAgUBLZOCzKM4CDusTF+9AQE3OgH/eZ9/j4K9CHhlaUKABMCSoicsQ4RWjg2w
yygU3SvVFNnXsuvKUMwcDqV77UAcyxrtSQH0qVU7LpNz5aNi0JO5+g==
=e3v3
-----END PGP SIGNATURE-----
