|
|
Carbuncle.62 Viruses Information
| Name: |
Carbuncle.62 |
| Category: |
Viruses |
| Description:
|
Details
Carbuncle.622
Carbuncle is a dangerous memory resident companion virus. It is the COM file 622 bytes of length. On execution it checks the system time, depending on current seconds value it either jumps to infection routine or calls the trigger function. In infection routine the virus creates the file CARBUNCL.COM with the READONLY and HIDDEN attributes and writes itself (622 bytes) into that file. If this file is present, the virus overwrites it if this file is not a READONLY one. If this file is READONLY, the virus tries to create and overwrite it but fails because it doesn't check/clear the file attributes.
Then the virus searches for EXE files by using DOS functions FindFirst/FindNext and the mask "*.exe" and infects them. On infection this virus renames the EXE file to CRP and creates the batch companion file with the name of the infected program and BAT extension. As the result, after infection of one EXE file there are two files with the same name and CRP and BAT extensions. Of course, CARBUNCL.COM is in the same directory also.
The companion batch file contains six lines of DOS commands. If the file FILENAME.EXE was infected, the companion FILENAME.BAT contains these lines:
@ECHO OFF
CARBUNCL
RENAME FILENAME.CRP FILENAME.EXE
FILENAME.EXE
RENAME FILENAME.EXE FILENAME.CRP
CARBUNCL
If the user tries to execute some EXE program, it types the name of it and DOS searches for the corresponded file as it showed above. This EXE is absent because it was renamed to CRP, and DOS will execute BAT file, i.e. companion BAT virus.
On the first line of this BAT the virus disables DOS echoes, this is for more invisibility. The instruction of the second line calls the main virus body from CARBUNCL.COM file, the virus searches for not infected files and hits them. The lines from third till fifth force DOS to execute the infected EXE that is hidden by CRP extension. This file is renamed to EXE extension, then it is executed as EXE and then it is renamed back to CRP. And as the last action the BAT file executes the COM virus again.
If the current seconds value of system times is lesser or equals than 16, the virus calls trigger subroutine. This code searches for five first CRP files and overwrites them by the virus body. As the result these files are not recoverable and should be deleted. In another case they will spread the virus on execution.
The virus contains the internal text strings which are in use on searching for not infected files and on creating BAT companion:
*.crp
CARBUNCL.COM
BAT*.exe
CRP
@ECHO OFF
CARBUNCL
RENAME
It also contains the 'copyright' string:
PC CARBUNCLE: Crypt Newsletter 14 |
Top Viruses Visited Pages:
Invader. - 241 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 67 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
HWF.89
Sailor famil
Enola.243
Fva.163
Trojan.VBS.StartPag
Worm.Win32.Lovesan.
Olga.444
VBS.Netlo
VBS.Slin
Inch Famil
|
|
