home *** CD-ROM | disk | FTP | other *** search
/ ProfitPress Mega CDROM2 …eeware (MSDOS)(1992)(Eng) / ProfitPress-MegaCDROM2.B6I / UTILITY / VIRUS / PCV4RPT.ZIP / TRACEBK.RPT < prev    next >
Encoding:
Text File  |  1991-05-09  |  5.1 KB  |  114 lines
  1.  
  2.              *********************************************
  3.              ***   Reports collected and collated by   ***
  4.              ***            PC-Virus Index             ***
  5.              ***      with full acknowledgements       ***
  6.              ***            to the authors             ***
  7.              *********************************************
  8.  
  9.  
  10. TRACEBACK 3066 (Also known as TRACEBACK 1)
  11. ========================================== 
  12.  
  13. === Computer Virus Catalog 1.2: "Traceback" Virus (5-June-1990) =====
  14.  
  15. Entry...............: "Traceback" Virus
  16. Alias(es)...........: "3066" Virus
  17. Virus Strain........: Traceback
  18. Virus detected when.: June 1989
  19.               where.: ---
  20. Classification......: Program extending, RAM-resident
  21. Length of Virus.....: .COM and .EXE files increased by 3066 bytes.
  22.  
  23. -------------------- Preconditions ----------------------------------
  24.  
  25. Operating System(s).: MS-DOS
  26. Version/Release.....: 2.xx upward
  27. Computer model(s)...: IBM-PC, XT, AT and compatibles
  28.  
  29. ------------------- Attributes --------------------------------------
  30.  
  31. Easy Identification.: Typical text in Virus body (readable
  32.                       with hex-dump-utilities):
  33.                       1. "VG1" in the data area of the virus
  34.                       2. "VG1" is found at offset of near-jmp-
  35.                          displacement if program is a .COM file.
  36.                       3. The complete name of the file, which infected
  37.                          the currently loaded file, is in the code.
  38.                       4. Search .COM or .EXE files for the hex-string:
  39.                          58,2B,C6,03,C7,06,50,F3,A4,CB,90,50,E8,E2,03,
  40.                          8B (the last 16 bytes of an infected
  41.                          program).
  42.  
  43. Type of infection...: System: infected if signature string "VG1"
  44.                               is found in specific location in memory.
  45.                       .COM files: program length increased by 3,066
  46.                            bytes if it is infected. Infects files up
  47.                            to 62,218 bytes. The first byte of an
  48.                            infec- ted file is a near-jump
  49.                            (E9h,XXh,YYh) to the virus code; program is
  50.                            infected if the string "VG1" is at offset
  51.                            (viruscode_entry)-03h.  .Com files are
  52.                            infected only once.
  53.  
  54.                       .EXE files: program length increased by 3066
  55.                            bytes string "VG1" is used for
  56.                            identification.  .EXE files are infected
  57.                            only once.
  58.  
  59. Infection Trigger...: Programs are infected the first time the virus
  60.                            is run, and at load time (using the
  61.                            function Load/Execute (4Bh) of MS-DOS).
  62.  
  63. Interrupts hooked...: INT 21h, INT 1Ch, INT 09h, INT 20h, INT 27h,
  64.                       (INT 24h only during infection of a file).
  65.  
  66. Damage..............: Transient Damage: One hour after system
  67.                            infection, the characters will fall down
  68.                            the screen.  Af- ter 1 minute, screen is
  69.                            automaticly restored.  During damage, INT
  70.                            09h will be hooked.  Characters typed
  71.                            during damage will move "fallen-down"
  72.                            characters back to their start position.
  73.                            Damage repeats every hour.
  74.  
  75. Permanent Damage:  ---
  76.  
  77. Damage Trigger......: Every time an infected file is run, system date
  78.                       is checked; apart from diverse conditions before
  79.                       Dec.28 1988, the relevant routine checks:  If
  80.                       (system date >= 28th of December 1988) then
  81.                       "cascade damage" (same as Autumn Virus).
  82.  
  83. Particularities.....: - The virus infects all files, which will be
  84.                         loaded via INT 21h (function 04Bh, including
  85.                         .EXE, .COM and other files as .APP(GEM),.OVL).
  86.                       - Some files will not run after infection.
  87.  
  88. Similarities........: There are some variants of this virus.
  89.  
  90. ------------------- Agents ------------------------------------------
  91.  
  92. Countermeasures.....: Category 3: NTI3066.EXE (VTC Hamburg)
  93.  
  94. Countermeasures successful: NTI3066.EXE is an antivirus that only
  95.                       looks for the Traceback-3066 Virus and,
  96.                       if requested, will restore the file.
  97.  
  98. Standard means......: Notice file-length and search after the strings.
  99.  
  100. ------------------- Acknowledgement ---------------------------------
  101.  
  102. Location............: Virus Test Center, University Hamburg, FRG
  103. Classification by...: Stefan Tode
  104. Documentation by....: Stefan Tode
  105. Date................: 5-June-1990
  106. Information source... PC VIRUS LISTING (Joe Hirst)
  107.  
  108. =================== End of "Traceback" Virus ========================
  109.  
  110.  
  111.   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  112.   ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++
  113.   ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  114.