home *** CD-ROM | disk | FTP | other *** search
- Virus Author: Casio - Written in April and May 1997
- Virus Name : RUSTY BUG v1.0 alpha 4
- Virus Target: DOS and Win95 *.exe / *.com files. START.EXE and COMMAND.COM
- are not infected. Files considered to be bait are ignored.
- Target OS...: Win95 and/or DOS.
- Virus Info..: Rusty Bug is designed to be able to deal with Win95 executables
- and msDOS executables.
- Encryption..: Rusty Bug is fully encrypted at all times. All infected
- files are encrypted during the infection phase. The encryption
- system is variable. The encryption algorithm has been
- changed (yet again). The encryptor should keep those not
- very good at asm from restoring infected files. :)
- Stealth.....: HOST stealth - Infected com and exe files will not notice any
- modification during their operation. Self-checking programs
- are easily defeated by Rusty Bug.
-
- Rusty Bug is both dos and win95 compatable. Vsafe and Vscan if found in memory
- are bypassed. Certain checksum files by certain Anti-Virus software is
- destroyed if found. The weed viruses would corrupt files if they were too
- small, Rusty Bug does not waste the valuable time. It leaves small files
- alone. BAIT files are not worth the coding to overwrite them.
-
- Rusty Bug contains two payloads, each of which has a 1/10 chance of going off
- each time an infected program is executed. The first payload is an encrypted
- message which is shown decrypted to the user. The second payload is a moving
- StarField. If the user presses any key, the original program will continue
- running.
-
- Rusty Bug contains a new critical error handler, thereby trapping any possible
- IO error. ranging from Sharing Violations to drive not ready errors. Heuristic
- Scanners are defeated by Rusty Bug.
-
- Rusty Bug has the following infection system:
- 1. Search for files inside any directories found via the PATH variable.
- 2. Search for files in current directory
- 3. Pass control to host
- 4. Search current directory again - The host might have made some new ones!
-
- Naturally, checksum files created at any point while Rusty Bug is active are
- destroyed. :-)
-
- Rusty Bug will infect a Win v3.x series executable, however, unless the program
- is run under Win95, it will no longer function. Instead of a nasty error, or
- corruption message, Windows will be told the file is not windows based. This
- problem only occurs on Win v3.x based systems. Before the user is informed that
- windows v3.x cannot execute the file, Rusty Bug is given an oppurtunity to
- further search and infect.
-
- This virus is well armored against heuristic scanning and repair. Thunderbyte
- Anti-virus is tricked into corrupting an infected file if you attempt to
- use TBCLEAN. Rusty Bug has been tested against the following anti-virus
- programs: FPROT, AVP, FINDVIRU, MCAFEE, TBAV, NORTON, and Integrity Master.
-
- None of those scanners suspected anything when asked to scan Rusty Bug
- infected files. The Mcafee scanner was the most pathetic of all of them.
-
- Update:
- For those of you who have been collecting each .EXE as it was released, Well
- I'm sure you know I tend to update frequently. Anywayz, This is the newest
- update thus far. It fixes a minor problem with size check code. Previously
- certain files, although they did meet the file size criteria, Were not
- infected. This has been corrected.
-
- Those of you who don't already know, Rusty Bug is a HLL virus. Coded in a
- shareware language called "ASIC" v5. Some of the code is patched from various
- LIBs that I have collected. The contents are not stolen from other viruses
- nor other real working programs.
-
-
