frisk@rhi.hi.is (Fridrik Skulason) (09/12/90)
Some new viruses.... After version 1.13 of F-PROT was posted, I have received several new viruses from various sources. Violator This is an unusually long variant of the Vienna virus, over 1K. It is sufficiently similar to the standard Vienna virus to be detected as such, although F-PROT 1.13 refuses to remove it - saying it is a new variant. It is removed by 1.14 Whale (Mother Fish) This is one of the most interesting viruses I have seen - it is long, over 9K, which makes it by far the longest assembly langugage virus. It uses "stealth" methods - while the virus is active in memory, it cannot be detected in a simple manner. The virus uses at least two levels of encryption, rearranges code around and tries its best to confuse anti-virus programs. It has been reported that the virus may "turn itself inside out", changing the encryption method and so on. This would require the use of more than one signature string. Although I have not observed this behavior, I believe this is true, so the following line (which detects all infected files I have) is probably not sufficient to detect all possible forms of the virus, but at least it is better than nothing.. Whale c1Qny5tm8UN5j5ErLc2OjLMSN5dfEvlgmL2utUNKc4M-m-g7UqToYB Version 1.14 (which has not been distributed yet) can detect and remove the infected files I have been able to produce, and should be able to remove all the forms when it is finished. Phoenix I got a sample of the 1701-byte variant of Phoenix from Norway. The virus had been uploaded to a BBS there as an Bulgarian anti-virus program, called DOCTOR.EXE, version 1.7 by Valery Trifonov - 11344 bytes in length. This program IS A TROJAN - instead of scanning for viruses it will infect you with Phoenix. F-PROT is able to detect the virus if the following line is added to SIGN.TXT. Note that this string will not detect the virus in the EXE file, as it is encrypted there - only in infected COM files. Phoenix JJxNyMrMoa5Lj5nMj-7jjLOKjaV00VMSlRma5-m-mLKqMak7mLBlR34- Version 1.14 can remove the virus from infected files. - -frisk - -- Fridrik Skulason University of Iceland | Technical Editor of the Virus Bulletin (UK) | Reserved for future expansion E-Mail: frisk@rhi.hi.is Fax: 354-1-28801 |