home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Monster Media 1996 #15
/
Monster Media Number 15 (Monster Media)(July 1996).ISO
/
virus
/
up960623.zip
/
README.DOC
< prev
next >
Wrap
Text File
|
1996-06-24
|
13KB
|
307 lines
DIRECTIONS FOR INSTALLATION OF THE NEW ANTIVIRUS DATABASES
Installation instructions follow the "Special Update Notice" section
Special Update Notice!
==================================================================
This includes a special update for the KRSNA virus. AVP needs to be
operated in a special mode to reliably detect this virus. Only
proceed with this proceedure if you suspect a virus infection from
the KRSNA.7610 virus.
===================================================================
IF YOU NEED ASSISTANCE CONTACT YOUR NEAREST AVP DISTRIBUTOR!
Step 1
======
Copy the file KRSNA.EXE into a empty subdirectory.
Step 2
======
Extract the self extracting archive file by typing at the DOS prompt
KRSNA.EXE (run the program).
You will now find 3 files in this subdirectory:
AVP.SET KRSNA.AVB KRSNA.EXE
Step 3
======
Make a backup copy of your current configuration file in your AVP
subdirectory.
Example: copy AVP.SET AVP.BAK
Step 4
======
Change to the subdirectory where the AVP.SET, KRSNA.AVB, KRSNA.EXE are
and copy AVP.SET and KRSNA.AVB to your AVP subdirectory. When prompted
to overwrite the AVP.SET file choose YES.
example: copy AVP.SET C:\AVP
copy KRSNA.AVB C:\AVP
Step 5
======
Start AVP and virus scan your computer to detect this virus
Step 6
======
After virus scanning restore your systems previous configuration
by deleting the file named AVP.SET and renaming the backup copy.
Example: del AVP.SET
ren AVP.BAK AVP.SET
Virus description
=================
Krsna.7610
──────────
It is a very dangerous memory resident multipartite stealth and
polymorphic virus. It infects COM, EXE files as well as the MBR of
the hard drive and boot sectors of the floppy disks. In files the virus is
encrypted three times. In infected sectors the virus is polymorphic as well
as in the infected files.
Installing and Infecting
------------------------
When an infected file is executed the virus decrypts itself, infects MBR of
the hard drive, traces and hooks INT 21h, and returns to the host program.
Then the virus writes itself to the end of COM and EXE files that are
executed, closed or on DOS calls Terminate (AH=0,31h,4Ch). Under Win95 the
virus also hooks INT 13h.
While opening an infected EXE file the virus disinfects it. When the virus
infects a file, it checks the file name and does not infect the files:
TB*.*
F-*.*
IV*.*
CH*.*
COMMAND*.*
The virus also does not infect the file if there is letter 'V' in its name.
While loading from infected boot sector of the floppy disk the virus just
infects the MBR, returns the control to the host sector, and does not stay
memory resident.
While infecting the hard drive the virus traces INT 13h or uses direct
calls to the HD ports, then it writes itself to the MBR sector, and the
rest of code writes to the last available track in the hard drive (the
track that is out of declared tracks - LandZone?).
When the virus stores and overwrites the original Disk Partition Table, as
a result the FDISK/MBR command may crash the hard drive. While loading from
infected MBR the virus restores Disk Partition Table to let DOS load the
active boot sector and calculate the disk information (at this moment the
virus' INT 13h stealth routine is not active), then it decreases the size
of the system memory for its TSR copy (the word at the address 0000:0413),
hooks INT 1Ch and returns the control to original MBR.
By hooking INT 1Ch the virus waits for the DOS loading procedure, then
restores the size of the system memory, hooks INT 13h, 21h, 28h. On first
INT 28h call the virus again corrupts the Disk Partition Table. I see no
reason for such complex procedure of installation into the system, but only
to fool the anti-virus hardware and software, if it is installed.
By hooking INT 13h the virus intercepts access to floppy disks, and infects
them. While infecting the virus formats extra track on the disk, and writes
its code to there. It also calls a stealth routine while accessing to
infected disks.
Features
--------
While executing a infected files the virus also searches for "WIN=" string
in environment area, and deletes the \SYSTEM\IOSUBSYS\HSFLOP.PDR file in
the Windows directory.
While installing memory resident the virus checks the system date and on
22nd of August and September it erases the hard drive sectors and displays
the message:
"HDEuthanasia" by Demon Emperor: Hare Krsna, hare, hare...
While infecting MBR the virus performs some strange manipulation with
keyboard: it hooks INT 16h, checks the keys that are entered, and sometimes
substitutes them with 'Y" or 'N' keys. It looks as the virus tries to fool
BIOS anti-virus features, and answer "Yes, Infect it!" on the standard
request while writing to the MBR of the hard drive.
The virus uses quite strange way to run its polymorphic routines. While
infecting a computer the virus generates a block of random data and saves
it to the last sectors of the hard drive. Then the virus does not correct
these random data in any way. It restores that data (reads from the sector)
while loading from infected MBR or while executing a infected file. While
re-infecting the disk (if it has been disinfected) the virus detects these
data in the last sector and does not renew them.
While infecting a file or a sector the virus uses that data as a random
generator to select the opcodes and keys for its polymorphic routines - in
all cases the polymorphic routine gets the same data, and produces the same
code when the virus infects any object.
As a result all polymorphic decryption loops contain the same code in all
infected files that were infected on the same computer. All such files are
encrypted by the same code and with the same keys. The length of the files
grows on random value while infecting (VirusLength plus the length of
polymorphic decryption loop), but that value is constant for all files on
the same computer. And the same for infected floppy disks - all they
contain the same polymorphic code in their boot sectors.
As a result all files and sectors that were infected on the computer have
the constant mask to detect them with anti-virus utilities. Is it directed
against anti-virus researchers, or just to fool users and hide the infected
file/floppy-guest that caused infection?
===================================================================
INSTALLATION
You must have AntiViral Toolkit Pro installed on your computer to use
this update.
This is a cummlative update for AntiViral Toolkit Pro. You do not need
to keep the previous updates.
A additional antivirus utility is distributed with this package.
AVPWW104.ZIP is a archive file that contains disinfection programs to
remove the known Macro viruses that infect Word Document files from your
computer. There are no exectuable programs in this archive. You need
to view the file AVPWW104.DOC using Microsoft Word(*) .
AVP and AVPLite can now detect and disinfect 17 macro viruses:
Macro.Word.Atom, Boom, Color, Concept (US,French,Dutch), Date, DMV,
Friends, Guess, Hot, Imposter, Nop, Nuclear.a,b, Xenixos
Macro.Amipro.Green
Additionally, AVP and AVPLITE have added a heuristic scanning engine,
to detect suspicious documents. Currently, AVP and AVPLITE do not convert
Microsoft Templates to the Microfost Document format, but instead erase
all virus macros. The heuristic engine detects macros that can copy
themselves. Therefore, as a result virus free files may be detected
as a virus (for example, AVPWW - AVP for WinWord) as labled as "suspicious."
(*) Microsoft and Word are registered trademarks of Microsoft Corporation
Steps for installation from a floppy diskette:
==============================================
1. Insert this AVP Update diskette into your computers 3 1/2 inch
diskette drive.
2. Change to that drive either A: or B: for standard configurations.
3. Type "Update" without the quoatation marks and then press the Enter or
Return key.
4. At the Select Option screen choose "install program" to continue.
5. Next the "Please select a target drive for the installation" screen
appears. Choose the drive that contains your installed copy of AVP.
Highlight the selection using your arrow keys and then press the
Enter or Return key to continue.
6. The "Please select your AVP sub-directory for the installion" prompt
appears after searching for you installed copy of AVP. If the search
was successful the sub-directory that AVP resides in on your
computer should be already highlighted in the box on your screen. If
it is not please add the correct sub-directory into the highlighted
area now. Do NOT include the drive letter!
7. "Is this where your AVP executable files are located?" If the above
information was entered correclty choose "Yes" and press the Enter
or Return key. If it is not corrected choose "No" and press the
Enter or Return key. Then enter the correct information. Or choose
Cancel to stop the installation.
8. "Delete outdated Antivirus Databases before updating?" This will
remove all antivirus databases in the AVP sub-directory before
installing the new current versions. If you created any databases
yourself choose "No"
9. Next the AVP database update proceedures will start and you will
see files being copied and extracted into the AVP sub-directory.
Once this process is finished you will have the opportunity to
review this file again then quit. AVP will be configured and ready
to use the new information the very next time you start the
program.
Steps for installation from a hard drive.
=========================================
1. Extract the contents of this archive into a empty sub-directory on your
computers hard disk.
2. Change to that sub-directory
3. Type "Update" without the quoatation marks and then press the Enter or
Return key.
4. At the Select Option screen choose "install program" to continue.
5. Next the "Please select a target drive for the installation" screen
appears. Choose the drive that contains your installed copy of AVP.
Highlight the selection using your arrow keys and then press the
Enter or Return key to continue.
6. The "Please select your AVP sub-directory for the installion" prompt
appears after searching for you installed copy of AVP. If the search
was successful the sub-directory that AVP resides in on your
computer should be already highlighted in the box on your screen. If
it is not please add the correct sub-directory into the highlighted
area now. Do NOT include the drive letter!
7. "Is this where your AVP executable files are located?" If the above
information was entered correclty choose "Yes" and press the Enter
or Return key. If it is not corrected choose "No" and press the
Enter or Return key. Then enter the correct information. Or choose
Cancel to stop the installation.
8. "Delete outdated Antivirus Databases before updating?" This will
remove all antivirus databases in the AVP sub-directory before
installing the new current versions. If you created any databases
yourself choose "No"
9. Next the AVP database update proceedures will start and you will
see files being copied and extracted into the AVP sub-directory.
Once this process is finished you will have the opportunity to
review this file again then quit. AVP will be configured and ready
to use the new information the very next time you start the
program.
New viruses in this update:
File viruses:
Assignation.653, BAT.Fret.1023, Demon3b.4313, Dennis.1000,
DST.330,347,396, Enjoy.1667, ExeHdr.Vlad.337, Helga.666.b,
HLLO.Globe.8001, Keeper.Eleet.726, Immune.536, Jerusalem.KbWin.1349,
Jovial.503, Khizhnjak.ASV.738, Lyceum.703, Methyl.2419,
Nado.April1st.797, Nado.RedViper.602, Nazgul.209,
Ply.3360,3486,3759,3768,4224,4722,5133,5175, Riot.Evil.811,
TPVO.Stealth.803, Trivial.Nat.111, Trivial.Kalipornia.88,140,154,190,303,
TurboExe.846.c, V.1792, Vlad.Insert.260, Voyager.1134, Yosha.975
PS-MPC.Ender.335, VCL.Salmon.510
Multipartite virus: Junkie.1029
"Intended" viruses: Companion.83, Burger.560.b, D_Tiny.1220,
Viena.Ender.1120, Yosha.761
Trojan horses: Trojan UCF.Ras, UCF.Jacker