HPAVC

home *** CD-ROM | disk | FTP | other *** search

/ HPAVC / HPAVC CD-ROM.iso / pc / T.ZIP / THEFLUE.ZIP / FLUE.NFO < prev next >

Wrap

Text File | 1993-12-18 | 10.7 KB | 141 lines

┌─────────────────────────────────────────────────────────────────────────────┐ │ │ │ This Virus Came To You By Way Of... │ │ │ │ ▄███████▄ ▄████████▄ ▄█▄ ▄███████▄ │ │ ████▀ ▀███ ███▀ ▀███ █████ ████▀ ▀████ │ │ ████ ███▄ ▄███ █████ ▀█████▄▄ │ │ ████ █████████▀ █████ ▀▀█████▄ │ │ ████▄ ▄███ ▄██▄ ████ ▀████▄ ▄██▄ █████ ▄██▄ ████▄ ▄████ ▄██▄ │ │ ▀███████▀ ▀██▀ ▀██▀ ▀██▀ ▀██▀ ▀█▀ ▀██▀ ▀███████▀ ▀██▀ │ │ │ │ │ │ Computer Research & Information Service │ │ │ │ │ │ Cris is a group of computer users that have a true interest in │ │ Computer Viruses and Trojans, as well as how they work. │ │ │ │ Members of Cris feel a need, not only to be up on the latest │ │ Bombs, Trojans, Worms, and Viruses, but to safely transfer these │ │ files into the hands of other dedicated researchers. │ │ │ │ Cris cannot be held responsible for the use or misuse of these │ │ files. Cris releases are sent out to better the knowledge of the │ │ virus community, for those who would like to learn more about them │ │ and how they work. │ │ │ │ Also, all Cris releases have been pre-tested and informative text │ │ files are enclosed with valuable information regarding the type of │ │ virus, how it works, and removal information. If the virus you │ │ downloaded is not a Cris release, you don't know what you've got. │ │ │ │ DuWayne Bonkoski │ │ (Original Text Written By Michael Paris) │ │ │ └─────────────────────────────────────────────────────────────────────────────┘ ┌─────────────────────────────────────────────────────────────────────────────┐ │ Cris Release Date:12/18/93 │ │ Type: Virus │ └─────────────────────────────────────────────────────────────────────────────┘ ┌─────────────────────────────────────────────────────────────────────────────┐ │ VSUM Information - Quoted from Patricia M. Hoffman's Hypertext VSUM │ ├─────────────────────────────────────────────────────────────────────────────┤ │ No Information Found │ └─────────────────────────────────────────────────────────────────────────────┘ ┌─────────────────────────────────────────────────────────────────────────────┐ │ Scanning Results │ ├─────────────────────────────────────────────────────────────────────────────┤ │ │ │ McAfee's ViruScan Reports - Detected [Flue] │ │ File had to be deleted │ │ F-Prot's ViruScan Reports - Detected [Flue] │ │ File had to be deleted │ │ TBAV's ViruScan Reports - Detected [Flue] │ │ │ Successfully repaired executable │ │ │ └─────────────────────────────────────────────────────────────────────────────┘ ┌─────────────────────────────────────────────────────────────────────────────┐ │ Researcher's Notes │ ├─────────────────────────────────────────────────────────────────────────────┤ │ The FLUE virus is a polymorphic virus which infects COM files only. The │ │ FLUE virus has a very visible way to letting you know it has infected │ │ a file. The virus will "flip" a character screen from right to left or │ │ vice versa. The screen flip does not work on monochrome monitors, however, │ │ because the virus is hard-coded to read segment B800 which is where screen │ │ information lies for color text modes. Monochrome video lies in │ │ the B000 segment and the virus does not have a routine to sense which │ │ type of video is being used. │ │ │ │ The virus hooks interrupt 24 (Critical Error Handler) which causes the │ │ virus to replicate if a critical error occurs during execution. │ │ │ │ The virus does not become memory resident as far as I can tell. │ │ │ │ A character string can be found within the virus body which may appear │ │ un-encrypted within infected files. The string reads as follows: │ │ │ │ Hatsjeee!! <C> 1992/1993 by TridenT / [DαRkRαY]Oh, BTW it's from Holland, │ │ and is called the FLUEFor those who are interested...... │ │ │ │ │ │ Encryption │ │ ========== │ │ The FLUE encrypts itself by XOR'ing the body of the virus with a │ │ randomly generated word varaiable and then uses the variable's complement │ │ on the next encryption cycle. │ │ │ │ │ │ Infection │ │ ========= │ │ The FLUE infects COM files having a length between 500 and 47987 bytes. │ │ The virus does not check to see if the file has already been infected and │ │ will attempt to re-infect an already infected file. │ │ The decryption routine the virus creates is very polymorphic. The program │ │ will randomly change which registers it uses to decrypt itself for each │ │ infected file. │ │ │ │ The infected files grow by a varying number of bytes. The virus │ │ copies a random number of bytes from the zero page and appends them to │ │ the end of the executable before infecting the file. This is what causes │ │ the random growth. │ │ │ │ Upon execution of an infected file, the virus will try to infect between │ │ one and eight files plus one more for each directory it moves into. │ │ │ │ An interesting note on how the virus appends itself to other COM files. │ │ At first glance, the source codes does not show any significant file │ │ write routines that are necessary to cause replication. It took me │ │ a while to figure out how the virus accomplished this. It does this │ │ by building it's own write routine as it runs in memory. Just another │ │ example of the polymorphic capabilities of this virus. │ │ │ │ │ │ Detection │ │ ========= │ │ All scanners tested will detect this virus. │ │ │ │ This virus can be detected using the following scan strings (for those │ │ who are using older/other scan utilities): │ │ │ │ 89?18B?1B94002?331?1F7?349 - TBAV │ │ 89??8B??B94002??????31??F7??????49 - F-PROT │ │ 89?8B?B94002???31?F7???49 - SCAN │ │ │ │ │ │ Summary │ │ ======= │ │ I have to admit, the virus was a challenge for me due to it's polymorphic │ │ capabilities. I had to step through it a couple of times to get a feel │ │ for what was going on. I'm not sure why all the polymorphism is used │ │ in this particular strain since the visual cues easily let you know │ │ something unusual is happening. Otherwise, this virus is a pretty fast │ │ replicator that wants to be noticed in its own little way. │ │ │ └─────────────────────────────────────────────────────────────────────────────┘