| Description:
|
Details
TSM.5536
It is a harmless memory resident polymorphic parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed, opened or when file attributes are accessed. The virus does not infect files that have digits, 'V' or '-' characters in names as well as SCAN and TBAV anti-virus programs. The virus also does not infect files with names IC* and DR*.
The main feature of this virus is that it was written in C with assembler in-line routines and it is polymorphic at the same time. As a result of C origin, the virus has standard structure for files that were compiled by Borland C compiler: C startup code is followed by virus code, C library routines and data segment.
+---------------+
|C startup code |
|- - - - - - - -|
|Main routine | <- virus code
|- - - - - - - -|
|C libraries |
|- - - - - - - -|
|Data segment |
+---------------+
When a file is executed, the startup code gets system parameters, allocates memory and fills variables that can be used by main program. The startup routine then passes control to main (virus) routine. When virus code takes control, it decrypts its code and C libraries by polymorphic decryption loop, allocates a block of memory, copies itself to there (including startup, libraries and Data segment), hooks INT 21h and returns control to DOS.
While infecting a file the virus runs its polymorphic engine, encrypts Main routine and C libraries, writes result to the end of the file and modifies EXE header to receive control when infected file is executed.
To return control to the host program the virus uses quite clever trick. The virus hooks Terminate DOS function. When virus completes installing into the memory and exits to DOS, the already installed memory resident virus copy intercepts that and redirects program flow to the host entry point address.
This virus is not standard polymorphic one because of not encrypted Startup routine, but it is not possible to detect the virus by using that fact: this or very closed startup code may be found in other non viral files that were compiled by the same C compiler. That may bring lot of false alarms.
The virus contains the text strings in its main code:
Dis quick test virus was written by The Soul Manager on 5/9/97
(Yes, yes, I *ADMIT* I should find something to do with a Friday night).
Greetz to Immortal Riot (from Australia).
I am, I am, I am
It also contains copyright string and error messages that Borland C compiler puts into EXE files:
Turbo C++ - Copyright 1990 Borland Intl.
Divide error
Abnormal program termination |
