|
Win.Tentacle_I Viruses Information
| Name: |
Win.Tentacle_I |
| Category: |
Viruses |
| Description:
|
Details
Win.Tentacle_II
It is not a dangerous nonmemory resident parasitic NewEXE virus 10634 bytes of length. The actual virus length is 10608 bytes, but while infecting a file it writes to the end of the file additional reference tables, so the length of files grows for 10634 bytes while infecting.
In infected file the Entry Point address does not point to the virus code, but to original Entry Point in the host file. The virus does not changes the Entry Point fields in the NewEXE header, but patches the code of the host file and forces it to pass the control to the virus code. This is the main feature of that virus.
When an infected file is executed, the virus takes control and searches for NewEXE (Windows) files in current directory, then in the directories:
C:WIN C:WINDOWS C:WIN31 C:WIN311 C:WIN95
then the virus searches for *.SCR files in the current directory. The virus infects only one file in each directory listed above except C:WINDOWS, the virus infects there two files, if there are not infected ones.
Before infecting a file the virus checks the file's header for DOS EXE and Windows NewEXE stamp, sets the MaxMem field in DOS EXE to FFFEh and uses that value as virus ID-stamp, then the virus creates the temporary C:TENTACLE.$$$ file and uses that file as a result file. After infecting a file the virus deletes the original file and renames the temporary file to the original name. That way is the same as the "Win.Tentacle" virus does.
While infecting the virus modifies the NewEXE header fields, creates new Segment Table that describes new Code Segment and writes its code to the end of the file. The virus does not modifies the entry segment and IP values, so the infected file takes control at the same address as before infection, and the system executes the original instructions, but not the virus code. To receive the control the virus patches the Segment Relocation Records in the file.
At first, the virus scans the Module Reference Table for the strings KERNEL and VBRUN300. If no such strings are found, the virus terminates the infection routine. If any of these strings is found, the virus reads the Segment Relocation Records and looks for the relocation 5Bh (INITTASK) in case of KERNEL, or for the relocation 64h (THUNRTMAIN) in case of VBRUN300. Both relocations points to the address of standard task initialization routine that are called by the very first commands of Windows programs. The virus stores the address of that routine and replaces it with the reference to the virus code. As a result, the infected files starts as before infection, but when it calls the initialization routine, the control is passed to the virus code, but not to original routine. The virus searches and infects the files and then passes the control to the original initialization routine. This way of infection allows the virus to hook the control without modifying the Entry Point addresses.
The virus also creates three new references in infected file. They refer to two standard routines REGSETVALUE and REGQUERYVALUE from SHELL (SHELL.DLL) and to original INITTASK or THUNRTMAIN routine. The first two routines are used in the virus trigger routine, the last one is used to return the control to the host file.
The virus pays special attention to the WINHELP.EXE file. If such file is found, the virus patches it in some way - it replaces the jump-on-condition (74h) instruction with jmp-short (EBh), I see no idea about for what reason.
Starting from 1:00am till 2:00 am the virus calls the trigger routine. That routine creates the C:TENTACLE.GIF file and writes to there a GIF image of a tentacle. Then the virus gets from the system Registry (Extensions) the string that is executed while viewing a GIF file, and puts there the name of virus' GIF file - C:TENTACLE.GIF. For example, the string "wingif %1" in the system Registry is replaced with "wingif C:TENTACLE.GIF". As a result, the system will show the image of tentacle while viewing any GIF file.
While replacing the data in the Registry, the virus uses the system SHELL calls - REGSETVALUE and REGQUERYVALUE.
The virus contains the encrypted text strings:
C:WINC:WINDOWSC:WIN31*.EXE *.SCR
C:WIN311C:WIN95SHELLOPENCOMMAND |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Macro.Word.Pel
Anticmo
W.55
Ghh.48
Win32.Zomb
Em.130
Macro.Word.Outla
I-Worm.MyLife.
Spooky Famil
CPSU.253
|
