home *** CD-ROM | disk | FTP | other *** search
/ ProfitPress Mega CDROM2 …eeware (MSDOS)(1992)(Eng) / ProfitPress-MegaCDROM2.B6I / UTILITY / VIRUS / PCV4RPT.ZIP / ADVENT.RPT < prev    next >
Encoding:
Text File  |  1991-05-09  |  6.2 KB  |  124 lines
  1.  
  2.              *********************************************
  3.              ***   Reports collected and collated by   ***
  4.              ***            PC-Virus Index             ***
  5.              ***      with full acknowledgements       ***
  6.              ***            to the authors             ***
  7.              *********************************************
  8.  
  9.  
  10. ====== Computer Virus Catalog 1.2: "Advent" Virus (15-Feb-1990) =======
  11.  
  12. Entry.................. "Advent" Virus
  13. Alias(es).............. ---
  14. Strain................. Syslock/Macho Virus Strain
  15. Detected: when......... Autumn 1988
  16.           where........ Federal Country of Rheinhessen, FR Germany
  17. Classification......... Program Virus (Link virus)
  18.  Length of Virus........ 2761 - 2776 (dec) bytes appended on
  19.                                paragraph boundary
  20.  
  21. ------------------------ Preconditions--------------------------------
  22. Operating System(s).... MS/PC-DOS
  23. Version/Release........ 3.00 and upwards
  24. Computer models........ All IBM PC compatibles.
  25.  
  26. -------------------------- Attributes---------------------------------
  27. Easy identification.... Beginning on every "Advent" (the time period
  28.                              beginning at the 4th sunday before
  29.                              Christmas until Christmas eve), the
  30.                              virus displays after every "advent
  31.                              sunday" one more lit candle in a wreath
  32.                              of four, together with the string
  33.                              "Merry Christmas" and plays the melody
  34.                              of the German Christmas song "Oh Tannen-
  35.                              baum". By Christmas all four candles are
  36.                              lit. This happens until the end of Decem-
  37.                              ber, when an infected file is run.
  38.  
  39. Type of infection...... The virus infects both COM and EXE files.
  40.                         EXE files: it checks the checksum in the EXE
  41.                              header for 7CB6h, in which case no in-
  42.                              fection will occure.
  43.                         COM files:  are checked by looking for the
  44.                              string 39,28,46,03,03,01 (hex) at offset
  45.                              10h.  The virus is not RAM resident,
  46.                              therefore it will only infect when the
  47.                              host is run.  It infects by searching
  48.                              through the directories on the current
  49.                              drive and randomly choosing files and
  50.                              directories to infect or search.  It will
  51.                              not infect any other drive.  It will
  52.                              infect COMMAND.COM.
  53.  
  54. Infection trigger...... Virus will infect any time it is run.
  55.  
  56. Media affected......... All disks that are addressable using
  57.                              standard DOS functions, as long as it is
  58.                              the current drive.
  59.  
  60. Interrupts hooked...... ---
  61.  
  62. Damage................. Transient damage: displayed picture, melody
  63.                              (see Easy Identification)
  64.  
  65. Damage trigger......... Every time the host is run.
  66.  
  67. Particularities........ The virus checks for the environment variable
  68.                              "VIRUS=OFF", in which case it will not
  69.                              infect. The virus encrypts itself using a
  70.                              variable key.  The virus will only do its
  71.                              transient damage after 1-Nov-1988.
  72.  
  73. Similarities........... Macho/Syslock: much of the code is identical,
  74.                              including the startup code. This means
  75.                              that Advent will be identified as Syslock
  76.                              by many scanning programs.  Advent seems
  77.                              to be the precursor to Macho and Syslock
  78.                              (though detected later).
  79.  
  80. ---------------------------- Agents-----------------------------------
  81. Countermeasures........ Use the environment variable described
  82.                              above as a first aid measure only. If
  83.                              your COMMAND.COM in infected, that wont
  84.                              stop the virus much.  Resetting the date
  85.                              will only stop the damage, not the
  86.                              infection.
  87.                         Here's one of the few strings that can safely
  88.                              be searched for:
  89.                              50,51,56,BE,59,00,B9,26,08,90,D1,E9,8A,
  90.                              E1, 8A,C1,33,06,14,00,31,04,46,46,E2,F2,
  91.                              5E,59; it should be noted, however, that
  92.                              this string will also identify Syslock
  93.                              and Macho.
  94.                         There is no scanning method that will tell
  95.                              the 3 apart. "NTIADVEN" uses a checksum.
  96.  
  97.  - ditto - successful.. For proper treatment, my Anti-Virus "NTIADNEN"
  98.                              is highly recommended (in all humility).
  99.                              Treatment by hand is very tedious and
  100.                              only recommendable for experts.
  101.  
  102. Standard Means......... Booting from a write-protected disk and resto-
  103.                              ring all COM and EXE files from the ori-
  104.                              ginal disks.
  105.  
  106. ----------------------- Acknowledgements------------------------------
  107. Location............... Virus Test Center, University of Hamburg, FRG
  108. Classification by...... Morton Swimmer
  109. Documentation by....... Morton Swimmer
  110. Date................... December 10, 1989
  111. Information source..... "The Peter Norton Programmer's Guide to the
  112.                              IBM PC" (1985), and members of our group.
  113.                              Also thanks to V-COMM for producing
  114.                              "Sourcer" and making my life easier.
  115.  
  116.  
  117.  
  118. ======================= End of "Advent" Virus ========================
  119.  
  120.  
  121.   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  122.   ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++
  123.   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  124.