| Description:
|
Details
Mutant.1680
These are not dangerous memory resident polymorphic viruses. They trace INT 21h, hook INT 1Ch and 21h and then write themselves to the COM and EXE files that are executed. Some time after the activation they plays a tune. They contain the text:
mutant
The viruses use two fairly sophisticated routines. The first one is the polymorphic routine, as a result the length of decryption rouitne varies between 65 and 149 bytes. The second routine is used to infect the files:
the virus looks for the areas that contain the constant bytes, and stores the offsets and lengths of these areas. If total length of these areas is lesser that the virus length, the virus does not infect that file.
the virus compresses these areas, and saves to its code the offsets, lengths and data to restore these areas before return the control to the host program.
the virus selects in the file the block of code, moves that code to the areas that were compressed, and overwrites that block with the encrypted virus code.
As a result, after infection of a file its length doesn't change. The virus re-infects the files, if there still are the areas with constant data. The virus stops infecting if all such areas are compressed. |
