hier die antwort von symantec
NAME: 10_Past_3.748
ALIASES: "Tea Time"
TARGETS: COM
RESIDENT: At 9800h:0000h
MEMORY_SIZE: 748
STORAGE_SIZE: 748
WHERE: Appending
STEALTH: None
POLYMORPHIC: None
ARMOURING: Trace
TUNNELLING: None
INFECTIVITY: 4
OBVIOUSNESS: Quite
COMMONNESS: 3 (South Africa)
COMMONNESS_DATE: 1993-01-06
TRANSIENT_DAMAGE: Reboot during INT 21h;
T_DAMAGE_TRIGGER: year>=1991 and day=22 then reboot
TRANSIENT_DAMAGE: tamper with interrupt vectors so as to hang PC;
T_DAMAGE_TRIGGER: year>=1991 and day=29 then trash INT 13h;
year>=1991 and day= 1 then trash INT 9h;
year>=1991 and day=10 then trash INT Dh;
year>=1991 and day=16 then trash INT 10h.
TRANSIENT_DAMAGE: install new kbd handler which affects Shft & Ctrl states.
T_DAMAGE_TRIGGER: 15h10=1991 and day=22 then display message and reboot
TRANSIENT_DAMAGE: tamper with interrupt vectors so as to hang PC;
T_DAMAGE_TRIGGER: year>=1991 and day=29 then trash INT 13h;
year>=1991 and day= 1 then trash INT 9h;
year>=1991 and day=10 then trash INT 0Dh;
year>=1991 and day=16 then trash INT 10h;
TRANSIENT_DAMAGE: install new kbd handler which affects Shft & Ctrl states.
T_DAMAGE_TRIGGER: 15h10 once if another
INT21-hooker intervenes.
SELFREC_ON_DISK: File [3] == 88h and File [4] == 31h
[fourth and fifth bytes are 88 31]
LIMITATIONS: NONE
COMMENTS: The INT21/0A handler is strange; all it does is set an
internal flag, call the real INT21 handler, and then reset
the flag before returning to the caller. Perhaps a later
version will use this flag to mess up string input?
The INT24 handler that's used during infection is much
more elaborate than usual, spending several lines of code
in order to automatically "ignore" only write-protect errors,
sending all other errors along to the original INT24 handler.
ANALYSIS_BY: David Chess, IBM HICL
DOCUMETATION_BY: David Chess, IBM HICL
ENTRY_DATE: 1993/06/24
LAST_MODIFIED: 1993/06/24
SEE_ALSO:
END:
NAME: Dudley
ALIASES: Dudley
TARGETS: COM, EXE, ZM
RESIDENT: Twixt
MEMORY_SIZE: 4608
STORAGE_SIZE: 1153 + degarbler + EXE_rounding
WHERE: Appending
STEALTH: None
POLYMORPHIC: Poly-12
ARMOURING: None
TUNNELLING: None
INFECTIVITY: 5
OBVIOUSNESS: None
COMMONNESS: 3
COMMONNESS_DATE: 1993-03-10
TRANSIENT_DAMAGE: None
T_DAMAGE_TRIGGER: None
PERMANENT_DAMAGE: None
P_DAMAGE_TRIGGER: None
SIDE_EFFECTS: None
INFECTION_TRIGGER: INT 21h && (AX == 4B00h ||
(AH == 3Dh || AH == 56h || AH == 6Ch) &&
(ext == COM || ext == EXE))
MSG_DISPLAYED: None
MSG_NOT_DISPLAYED: ""
INTERRUPTS_HOOKED: 21h/4B00h 21h/3Dh 21h/56h 21h/6Ch 21h/5454h
SELFREC_IN_MEMORY: INT21h;AX=5454h -> AX=0000
SELFREC_ON_DISK: EXE_Checksum==5045h; COM_start==7100h
LIMITATIONS: None
COMMENTS: Polymorphic COM and EXE infector. Contains code that
attempts to avoid infecting a file with name ????SC??.???,
but it has a bug.
ANALYSIS_BY: David M. Chess
DOCUMENTATION_BY: David M. CHess
ENTRY_DATE: 1993-03-10
LAST_MODIFIED: 1993-03-10
SEE_ALSO: None
END:
NAME: Exe_Bug.A
ALIASES: "CMOS virus"
TARGETS: MBR, FBR
RESIDENT: Top
MEMORY_SIZE: 1K
STORAGE_SIZE: 1S
WHERE: At 0/0/17 (hard), At 40/0/1 (360), At 80/0/1 (other floppy)
STEALTH: 13h/02, 13h/03
POLYMORPHIC: None
ARMOURING: None
TUNNELLING: Sector
INFECTIVITY: 6
OBVIOUSNESS: Quite
COMMONNESS: 5 (South Africa)
COMMONNESS_DATE: 1993-05-01
TRANSIENT_DAMAGE: None
T_DAMAGE_TRIGGER: None
PERMANENT_DAMAGE: Sectors on hard drive converted to disc-trashing trojan,
sectors on floppies converted to virus-dropping trojan.
P_DAMAGE_TRIGGER: int13hwrite and sect=3 and buffer[0]='M' and
((disc=hard and 512 AX=03FC
SELFREC_ON_DISK: Checksum of entrypoint
LIMITATIONS: None
COMMENTS: Relatively straightforward, mildly polymorphic,
tunneling EXE and COM infector that also infects
the MBR in order to get back into memory after a
boot. Doesn't infect diskette boot records.
ANALYSIS_BY: David M. Chess, IBM HICL
DOCUMETATION_BY: David M. Chess, IBM HICL
ENTRY_DATE: 1993/05/25
LAST_MODIFIED: 1993/05/25
SEE_ALSO:
END:
NAME: Peter
ALIASES: None
TARGETS: MBR, FBR [only if sectors/track is at least 15]
RESIDENT: TOP, AT 9F00:0000 [Reduces 0000:0413 by 4,
then copies itself to 9F00:0000, regardless
of memory size]
MEMORY_SIZE: 4K
STORAGE_SIZE: 5S
WHERE: AT 0/0/2 (HARD), AT 50/0/2 (FLOPPY)
STEALTH: INT 13 / 02, INT 13 / 03
[stealth applies only to hard disk, not floppies]
POLYMORPHIC: NONE
ARMOURING: NONE
TUNNELING: NONE
INFECTIVITY: LIKE Stoned.Standard
[except for only infecting large floppies]
OBVIOUSNESS: SLIGHTLY
COMMONNESS: 3 (Japan)
COMMONNESS_DATE: 93/05/27
TRANSIENT_DAMAGE: When the CMOS clock contains 2 and 27 in the month
and date fields, it displays a message, garbles
part of the hard disk by XORing with hex 78, and
then asks four questions, in English, about pop
music. (See PERMANENT_DAMAGE)
PERMANENT_DAMAGE: If the user answers any of the questions
incorrectly, the virus returns without restoring
the garbled part of the hard disk. If the user
answers correctly, the virus restores the garbled
part of the hard disk and boots normally. (I
haven't actually tested this.)
T_DAMAGE_TRIGGER: CMOS clock bytes 7 and 8 contain 27 and 2.
P_DAMAGE_TRIGGER: User answers a question in the quiz wrong.
SIDE_EFFECTS: None
INFECTION_TRIGGER: MBR: (Boot) & (MBR[0x1FD]!=0xBB)
FBR: (INT13) & (AX==02 | AX==03) &
(FBR[0x1FD]!=11) & (FBR[0x18]>=0x0F)
[That is, when you boot from an infected floppy,
it infects the hard disk unless its mark is already
there, and when you use a floppy in A: it gets
infected unless the mark is there, or it has
less than 15 sectors/track.]
MSG_DISPLAYED:
"Good morning,EVERYbody,I am PETER II
Do not turn off the power, or you will lost all of the data in Hardisk!!!
WAIT for 1 MINUTES,please...
Ok.If you give the right answer to the following questions,I will save your HD:
A. Who has sung the song called "I`ll be there" ?
1.Mariah Carey 2.The Escape Club 3.The Jackson five 4.All (1-4):
B. What is Phil Collins ?
1.A singer 2.A drummer 3.A producer 4.Above all (1-4):
C. Who has the MOST TOP 10 singles in 1980`s ?
1.Michael Jackson 2.Phil Collins (featuring Genesis)
3.Madonna 4.Whitney Houston (1-4):
CONGRATULATIONS !!! YOU successfully pass the quiz!
AND NOW RECOVERING YOUR HARDISK ......
Sorry!Go to Hell.Clousy man!"; Encrypted
MSG_NOT_DISPLAYED: None
INTERRUPTS_HOOKED: 13/02, 13/03
SELFREC_IN_MEMORY: None
SELFREC_ON_DISK: MBR [0x1FD] == 0xBB, FBR [0x1FD] == 0x11
LIMITATIONS: CPU >= 286 [uses PUSHA and POPA], CMOS
[for date for payload]
COMMENTS: The answers to the questions (see above) are
4, 4, 2, at least in the virus's opinion. The
coding style is very odd and self-taught-looking;
he doesn't seem to know about direct addressing
modes, and does things like "MOV BX,0460;
MOV [BX],AX" rather than "MOV [460],AX". For
instance. It's also a "copy-protected" virus, in
that it formats track 0x50 to store the on-disk
part of itself, and the original MBR, on.
ANALYSIS_BY: David M. Chess, IBM HICL
DOCUMETATION_BY: David M. Chess, IBM HICL
ENTRY_DATE: 93/05/24
LAST_MODIFIED: 93/05/24
SEE_ALSO:
END:
NAME: QRRY
ALIASES:
TARGETS: MBR, FBR
RESIDENT: TOP
MEMORY_SIZE: 1K
STORAGE_SIZE: 1S
WHERE: AT 27h/01h/09h
STEALTH: None
POLYMORPHIC: None
ARMOURING: None
TUNNELLING: None
INFECTIVITY: 6
OBVIOUSNESS:
COMMONNESS: 3
COMMONNESS_DATE: 1993-03-08
TRANSIENT_DAMAGE: None
T_DAMAGE_TRIGGER: None
PERMANENT_DAMAGE: Overwrites the first nine sectors of the first three
tracks on any disk or diskette head that's read from.
P_DAMAGE_TRIGGER: Real_Time_Clock_Month == 12
SIDE_EFFECTS: None
INFECTION_TRIGGER: INT 13h & AX==0201h & CX=0001h
MSG_DISPLAYED: None
MSG_NOT_DISPLAYED: None
INTERRUPTS_HOOKED: 13/0201
SELFREC_IN_MEMORY: None
SELFREC_ON_DISK: bootrec[0]==EBh & bootrec[0170h]==ABCDh
LIMITATIONS: None
COMMENTS: Simple MBR infector with rather nasty damage; "QRRY" is just
some ASCII that happens to appear in the code of the virus.
ANALYSIS_BY: David M. Chess, IBM
DOCUMENTATION_BY: David M. CHess, IBM
ENTRY_DATE: 1993-03-08
LAST_MODIFIED: 1993-03-08
SEE_ALSO: None
END:
NAME: Runtime
ALIASES: None
TARGETS: COM (including COMMAND.COM)
RESIDENT: None
MEMORY_SIZE: 0
STORAGE_SIZE: 365
WHERE: MOVE
STEALTH: Restores original time and date stamps to files after
infection.
POLYMORPHIC: None
ARMOURING: None
TUNNELING: None
INFECTIVITY: 3
OBVIOUSNESS: SLIGHTLY
COMMONNESS: 1
COMMONNESS_DATE: 1993-06-07
TRANSIENT_DAMAGE: Hangs system occasionally on trigger
PERMANENT_DAMAGE: None
T_DAMAGE_TRIGGER: On Fridays before 11:00 AM if clock @ 40:06Ch >0b0h
P_DAMAGE_TRIGGER: None
SIDE_EFFECTS: Uncontrolled file growth due to multiple infections
INFECTION_TRIGGER: Upon execution of an infected file
MSG_DISPLAYED: "Runtime error 412" followed by possible garbage
MSG_NOT_DISPLAYED: None
INTERRUPTS_HOOKED: None
SELFREC_IN_MEMORY: None
SELFREC_ON_DISK: Faulty but code intends to check for initial NEAR CALL (0e8h)
LIMITATIONS: DOS 3.x or later
COMMENTS: Cannot infect read-only files.
ANALYSIS_BY: Wolfgang Stiller
DOCUMETATION_BY: Wolfgang Stiller
ENTRY_DATE: 1993-06-07
LAST_MODIFIED: 1993-06-07
SEE_ALSO:
END:
NAME: Su
ALIASES: Susan
TARGETS: .EXE
RESIDENT: Low
MEMORY_SIZE: 864
STORAGE_SIZE: 571
WHERE: Overwrites
STEALTH: None
POLYMORPHIC: None
ARMOURING: None
TUNNELING: None
INFECTIVITY: 2
OBVIOUSNESS: Extremely
COMMONNESS: 1 (United States)
COMMONNESS_DATE: 1993-04-28
TRANSIENT_DAMAGE: None
T_DAMAGE_TRIGGER: None
PERMANENT_DAMAGE: Infected files are overwritten and destroyed.
P_DAMAGE_TRIGGER: See INFECTION_TRIGGER
PERMANENT_DAMAGE: Deletion of all files in current directory.
P_DAMAGE_TRIGGER: 16 Infections since activation
SIDE_EFFECTS: None
INFECTION_TRIGGER: (A single "DIR" issued) and (FindFirst -> DTA=
uninfected .EXE file)
MSG_DISPLAYED: "Bad command or file name"
MSG_NOT_DISPLAYED: "Susan", "*.*", "*.EXE", "DIR"
INTERRUPTS_HOOKED: 2F/10F, 2F/AE00, 2F/AE01
SELFREC_IN_MEMORY: INT 2Fh;AX=010Fh -> AX=CS:[0103h]="Su"
SELFREC_ON_DISK: FileTime.Seconds=1Fh
LIMITATIONS: DOS>=3.30 (Bug: Checks for DOS 3.03)
COMMENTS: This virus does not hand control over to the infected
program; instead it terminates with the aforementioned
message. It uses INT 21;AX=5D00h to delete files.
The hooked interrupts (AH=0AEh) are reportedly called
by COMMAND.COM just before executing commands from
the keyboard.
ANALYSIS_BY: Snorre Fagerland
DOCUMETATION_BY: Snorre Fagerland
ENTRY_DATE: 1993-04-28
LAST_MODIFIED: 1993-06-25
SEE_ALSO: None
END:
NAME: Techno
ALIASES: None
TARGETS: .COM
RESIDENT: None
MEMORY_SIZE: None
STORAGE_SIZE: 1123+15
WHERE: Appending
STEALTH: None
POLIMORPHIC: None
ARMOURING: None
TUNNELING: None
INFECTIVITY: 2
OBVIOUSNESS: Quite
COMMONESS: 1
COMMONESS_DATE: 1992-12-28
TRANSIENT_DAMAGE: Music, Videoeffect
T_DAMAGE_TRIGGER: Random(0.0025)
PERMANENT_DAMAGE: None
P_DAMAGE_TRIGGER: None
SIDE_EFFECT: None
INFECTION_TRIGGER: (DIRECT_ACTION) and (LengthCOM >=10) and (LengthCom12 and counter=2112
P_DAMAGE_TRIGGER: Month=12 and Day=21
SIDE_EFFECTS: PC may hang due to direct residency
INFECTION_TRIGGER: Exec and (580=3.10
COMMENTS: The poem printed by the virus states it was written by
"Marvin Giskard", the pseudonym of the person claiming
to have written 10_Past_3.748. The poem is dedicated to
"T"; 10_Past_3.789, a rework of .748, includes code to
print the name "Therese".
ANALYSIS_BY: Paul Ducklin
DOCUMENTATION_BY: Paul Ducklin
ENTRY_DATE: 1993-01-11
LAST_MODIFIED: 1993-02-15
SEE_ALSO: 10_Past_3.748, 10_Past_3.789
END:
NAME: V163
ALIASES: None
TARGETS: COM
RESIDENT: AT 0060
MEMORY_SIZE: 163
STORAGE_SIZE: 163
WHERE: Appending
STEALTH: None
POLIMORPHIC: None
ARMOURING: None
TUNNELING: None
INFECTIVITY: 4
OBVIOUSNESS: Slightly
COMMONESS: 1
COMMONESS_DATE: 1993-02-22
TRANSIENT_DAMAGE: None
T_DAMAGE_TRIGGER: None
PERMANENT_DAMAGE: None
P_DAMAGE_TRIGGER: None
SIDE_EFFECT: NE/LE executables will be damaged by the infection process
INFECTION_TRIGGER: Exec
MSG_DISPLAYED: None
MSG_NOT_DISPLAYED: None
INTERRUPTS_HOOKED: 21h/4Bh
SELFREC_IN_MEMORY: [0000:0086]=60h
SELFREC_ON_DISK: FILE[0]=4Dh
LIMITATIONS: None
COMMENTS: The virus does no secure SELFREC_IN_MEMORY anything
resident, that hooks INT21 will cause the virus to become
resident again!
ANALYSIS_BY: Christoph Fischer, Micro-BIT Virus Center, University of Karlsruhe
DOCUMENTATION_BY: Christoph Fischer, Micro-BIT Virus Center, University of Karlsruhe
ENTRY_DATE: 1993-02-22
LAST_MODIFIED: 1993-02-25
SEE_ALSO:
END:
mfg otto