| Description:
|
Details
USTC.7680
It is a very dangerous memory resident multipartite polymorphic virus. The virus infects the MBR of the hard drive and writes itself to the end of COM and EXE files. It is encrypted not only in files and MBR, but in the system memory also. Most of virus routines are encrypted, the virus decrypts them in case of need, executes and then encrypts.
While infecting the MBR the virus saves the original MBR sector to 16th sector on the first disk track and writes its main code from the MBR sector till 15th sector of first track. While infecting files the virus writes several blocks of junk code to the middle of file. It does it similar to "OneHalf" multipartite virus, but "USTC" virus' polymorphic engine is more complex. In that junk code the virus also uses anti-debugging tricks.
When an infected file is executed, the virus decrypts its code, infects the MBR if the hard drive, hooks INT 13h, 21h and stays memory resident. On loading from infected MBR the virus hooks INT 8, 13h, waits for some time (until DOS is installing itself) and then releases INT 8 and hooks INT 21h.
By hooking INT 13h the virus realizes its stealth routine that hides virus code on the first track. By hooking INT 21h the virus intercepts files that are copied or modified and infects them, i.e. the virus does infect new files or when file's data/code are changed. As a result the virus fools anti-virus CRC-checkers. The virus has a bug - it does not checks file name extension, but internal file format only, and infects not only COM and EXE but also data files.
Depending on its internal counter the virus pauses booting from infected MBR and waits for "CAPSL" input. The virus contains the text string:
3.0 1996.10 USTC |
