| Description:
|
Details
Ithaqua.8030
It is a dangerous memory resident multipartite polymorphic virus. It infects the MBR of the hard drive, COM and EXE files that are executed. While infecting the MBR the virus encrypts its original contents, as a result the FDISK/MBR command destroys it. The virus also uses other tricks (anti-debugging), it is polymorphic in files as well as in infected MBR sector. The virus has many bugs and often corrupts files and the MBR while infecting them.
The virus uses quite complex ways of infection, they are different under different DOS versions. Under DOS 7+ (Windows) the virus infects EXE files only and does not touch MBR and COM files in any way. It encrypts itself with 512-bytes polymorphic code and writes the result to the end of files. As a result the infected EXE files length grows by 8542 bytes.
Under DOS 6 and lower the virus infects COM files as well as EXE, and affects the MBR when an infected file is run for the first time. While infecting EXE files the virus looks for "cave" (the area of constant data) 8030 bytes of length, and writes itself to there if such cave is found. In this case the file length does not grow. In case of COM files the virus writes itself to the end of the file. To get control when the infected file is executed, the virus either uses standard method (writes JMP_Virus instruction to the file header), or loads the file, emulates it (executes the file's code) for some time, then writes the JMP_Virus command to some place in the middle of the file. In second case the virus encrypts itself with simple XOR loop, and does not run its polymorphic engine, the file length in this case grows exactly by 8030 bytes.
Under DOS 6 the virus also uses emulator (virtual execution routine) to get the INT 21h DOS address, and patches this address with JMP_Virus_Handler command.
On April 29th the virus manifests itself by a video effect: it turns the computer to video mode, displays the text:
[Ithaqua] virus by Wintermute/29A
and then covers this text with "falling snow".
The virus also contains the text strings:
I'm Ithaqua,all that who walks over the wind
Welcome to my world, adventurer. Follow me.
Love. Hate. I'll be awaiting you on the dark side, watching the nonsense. |
