| Description:
|
Details
MBP.Kynel
The first known virus to infect MapInfo tables. It activates upon the opening of infected tables and proceeds to infect the MapInfo environment and every table subsequently opening in MapInfo.
The virus has a payload routine that is triggered according to specific system dates; the payload corrupts table files.
What is MapInfo
MapInfo is a Geo-Information System, one of the world's leading software solutions for mapping and geographic analysis. It is developed by the MapInfo Corporation. MapInfo uses the MapBasic programming language to create custom applications for use with MapInfo Professional or special MapInfo "runtimes". It is very similar in syntax to Microsoft Visual Basic but has additional 'statements' for tables and map manipulations.
Virus details
The virus is written in the MapBasic language and is compiled into a binary application that executes with MapInfo. When the infected table is opened the virus gains control and infects the MapInfo environment. To do this the virus copies itself into the MapInfo program directory (the directory where MapInfo is installed) under the name 0gPiSs1.dll. The 'startup.wor' file has its own 'startup workspace'. The virus places into the startup workspace of the startup.wor file the commands that launch the virus code. The startup workspace is automatically executed prior to the launching of any other workspace, and thus the virus gains control each time MapInfo is started.
When active, the virus silently collects the filenames of open tables to be used at a later time.
When MapInfo is closed the virus checks the system time. On Monday it runs its first payload routine that catalogs (numbers) the table filenames collected during the current session. With the probability of 1% the virus tries to delete the table files with the following extensions:
map, tif, pcx, jpg
The second payload routine triggers on Friday the 13th and does the same as the first payload routine but deletes table files with a 14% probability. In addition it overwrites the mapinfow.prj file with the following text written in Russian (encoding - Cyrillic KOI-8R):
"--- Координаты ---"
"Долгота / Широта", 3, 62, 8, -74, 40.5, 40.6666666667, 41.0333333333, 2000000, 100000
If the payload routines did not trigger, the virus infects all the collected tables. To do this the virus overwrites the .mif table file with virus code and inserts the command to run this file upon table opening.
Disinfection
Kaspersky Anti-Virus removes the virus code from files, but cannot restore files deleted by virus payloads. You have to restore missing .map, .tif, .pcx and .jpg files from backup. Also you may need to restore the mapinfow.prj file in the MapInfo program directory from backup or from the Tools subfolder. |
