......................... VIRUS HELP DENMARK .....................
Hi All.... 26.01.2001
A new 'TCP' trojan has been found in New Zealand, and the installer
is still unknown, but Zbigniew Trzcionkowski the programmer of Safe
has made an update of the program, that will decect this new TCP
trojan in memory.
The TCP trojan will replace your "c:mount" with a new size: 7484
bytes and make another file "f". But the new "c:mount" is another
clone of those stupid Vaginitis viruses, but it appeared with some
support stuff (probably not found until now).
Here is some info about this new TCP Trojan:
Virus Type.... : TCP Trojan
Trojan name....: Explode
Trojan size....: 7484 bytes (c:mount)
232 bytes (f)
Archive name.. : ? (Not known yet)
Archive size.. : ? (Not known yet)
This TCP trojan can be decected by "Safe v14.7" right now, and
within a few days by the "xvs.library"
Here is a analyse from Zbigniew Trzcionkowski:
==================== Start of Expl0de virus ========================
Entry...............: Expl0de Virus
Alias(es)...........: VaginitisClone
Virus Strain........: none
Virus detected when.: 1.2001
where.: New Zealand
Classification......: System/Linkvirus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: ca 730 Bytes
2. Length in RAM: 2048 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS Version/Release..: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)
--------------------- Attributes ---------------------------------------
Easy Identification.: none
Type of infection...: Self-identification method in files:
- none (the virus infects only C:mount)
Self-identification method in memory:
- checks for $60ea at LoadSeg patch offset -2
System infection:
- infects the following function:
Dos LoadSeg()
Infection preconditions:
- Hunk Code is found
- File is not infected already (double
infections are impossible)
- device is validated
- device contains free blocks
Infection Trigger...: Direct accessing C:mount
Storage media affected:
C:
Interrupts hooked...: None
Damage..............: Permanent damage:
- none
Transient damage:
- none
Damage Trigger......: Permanent damage:
- none
Transient damage:
- none
Particularities.....: (Installer is currently unknown.)
Installer infects only one file - C:mount,
the code of Vaginitis/Fungus virus is used
here only to implement TCP: new shell
opener to system.
The virus performs:
run >nil: newshell TCP:9876
Similarities........: Link-method is first hunk increasing.
Last RTS will be rewritten with nop.
Whole code is 95% equal to Fungus/Vaginitis
viruses.
Stealth.............: Only one file is infected.
One of the additional files is file called
c:f which is small lame coded patcher for
dos/Write prepared to prevent writing files that
contain string '.987'. This is to hide
existence of the secret shell in TCP:,
also may damage some files with this string.
Armouring...........: very simply eor crypter with static key $1337
Comments............: The virus contains string 'expl0de!'.
The virus probably appeared with some other support
stuff that will be analyzed if we get it.
Author of this virus in love with
the longword $DEADF00D.
--------------------- Agents -------------------------------------------
Countermeasures.....: -
above Standard means......: -
--------------------- Acknowledgement ----------------------------------
Location............: Pawlowice, Poland 25.1.2001
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 25.1.2001
Information Source..: Virus disassembly
Copyright...........: This documentation is public domain
===================== End of Expl0de virus =======================
This archive has been send to all the antivirus programers.....
Thanx to Patrick Ford for the info and sending the files to us..
Regards....
__ Jan Andersen E-Mail..: vht-dk@post4.tele.dk
__ /// ------------ FidoNet.: 2:237/38.100
\\\/// Virus Help Denmark AmyNet..: 39:140/127.100
\XX/ www.vht-dk.dk VirNet..: 9:451/247.0
