|
|
Evolution.277 Viruses Information
| Name: |
Evolution.277 |
| Category: |
Viruses |
| Description:
|
Details
Evolution.2770
This is a dangerous memory-resident parasitic polymorphic stealth virus. On execution it copies itself into UMB or conventional memory, traces and hooks INT 13h, 21h, hooks INT 9 and writes itself to the end of EXE files that are executed, renamed or closed.
On file opening the viruses execute stealth routine which opens the file, loads it into the memory and executes trace routine that runs through decryption loop and restores the original contents of the virus body including necessary fields of header of infected EXE file. Then the virus restores EXE header of infected file (by using decrypted data) and truncates it to original length, so the infected file is disinfected on opening under memory resident copy of the virus.
There are two interrupts are hooked by the virus to call trigger routines. The first one is INT 13h. On each 256th call to INT 13h with AH=2, AH=3 (read/write sector) the virus executes damage routine that sets random selected bit of data buffer to complementary value.
The second "trigger" interrupt is keyboard handler INT 09h. On entering of ALT, CTRL or DEL key the viruses check their internal counters and system timer and depending on these values display the message (the first virus displays it on Chinese), delays and reboots computer:
-=_ Evolution 2001 Virus was done by lord Salivantis - Nov/Dec 1993 _=-
This virus uses i386 extended registers and several other new Intel instructions. On installation the virus checks the processor mode. If processor is in real mode (DOS was loaded without such memory managers as QEMM or EMM386 and DOS session is not under MS-WINDOWS, OS-2, and so on) the virus calls special algorithm to hide itself in the memory. It moves Interrupt Vectors Table into body of viruses TSR copy (it reserves enough of memory to save code and data - about 7K) and loads address of this copy into pointer to Interrupt Descriptor Table by LIDT i386+ instruction.
As the result the processor will use that area with copy of Interrupt Vectors Table to call interrupt vectors instead of using original table which is placed at addresses 0000:0000-03FF. All addresses of interrupts will be loaded from inside of the virus (copied table) by main Intel processor. You can fill by zero original Interrupt Vectors Table but computer will work without problems - these pointers will not be used by computer, that data is free for use now.
The virus hides itself in the memory very well by that trick. Standard debugging and anti-virus utilities will not work correctly because debuggers cannot set the trace vectors INT 01/03, and antiviral utilities can not locate real addresses of "virus-alarm" interrupts INT 13h, 21h, 25h, 26h. These utilities will directly access to Standard Interrupt Table (at addresses 0000:0xxx) or access to DOS functions Get/Set Vector of INT 21h. |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Brain Famil
Macro.Word.Slo
Macro.Word.GreenFur
NTZ Famil
Wintermute.105
04h Famil
Macro.Word.Breede
Turnip.29
Probe.214
PC_Ogre.38
|
|
