Virus Warning - Virus Help Team

VIRUS HELP TEAM
Denmark & Canada



Explode TCP Trojan

.........................  VIRUS HELP DENMARK  .....................

 Hi All....                                               26.01.2001

 A new 'TCP' trojan has been found in New Zealand, and the installer
 is still unknown, but Zbigniew Trzcionkowski the programmer of Safe
 has  made  an  update of the program, that will decect this new TCP
 trojan in memory.
 The TCP  trojan  will  replace your "c:mount" with a new size: 7484
 bytes and  make another file "f". But  the new "c:mount" is another
 clone of those stupid Vaginitis viruses,  but it appeared with some
 support stuff (probably not found until now).


 Here is some info about this new TCP Trojan:

 Virus Type.... : TCP Trojan
 Trojan name....: Explode
 Trojan size....: 7484 bytes (c:mount)
                   232 bytes (f)
 Archive name.. : ? (Not known yet)
 Archive size.. : ? (Not known yet)


 This  TCP trojan  can be  decected  by "Safe v14.7" right now,  and
 within a few days by the "xvs.library"


 Here is a analyse from Zbigniew Trzcionkowski:


==================== Start of Expl0de virus ========================

Entry...............: Expl0de Virus
Alias(es)...........: VaginitisClone
Virus Strain........: none
Virus detected when.: 1.2001
              where.: New Zealand
Classification......: System/Linkvirus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:      ca 730 Bytes
                      2. Length in RAM:                   2048 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release..: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: none

Type of infection...: Self-identification method in files:

                      - none (the virus infects only C:mount)

                      Self-identification method in memory:

                      - checks for $60ea at LoadSeg patch offset -2

                      System infection:
                      -  infects the following function:
                         Dos LoadSeg()


                      Infection preconditions:

                      - Hunk Code is found
                      - File is not infected already (double
                        infections are impossible)
                      - device is validated
                      - device contains free blocks


Infection Trigger...: Direct accessing C:mount

Storage media affected:
                      C:

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - none
                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - none

Particularities.....: (Installer is currently unknown.)
                      Installer infects only one file - C:mount,
                      the code of Vaginitis/Fungus virus is used
                      here only to implement TCP: new shell
                      opener to system.
                      The virus performs:
                      run >nil: newshell TCP:9876

Similarities........: Link-method is first hunk increasing.
                      Last RTS will be rewritten with nop.
                      Whole code is 95% equal to Fungus/Vaginitis
                      viruses.

Stealth.............: Only one file is infected.
                      One of the additional files is file called
                      c:f which is small lame coded patcher for
                      dos/Write prepared to prevent writing files that
                      contain string '.987'. This is to hide
                      existence of the secret shell in TCP:,
                      also may damage some files with this string.

Armouring...........: very simply eor crypter with static key $1337


Comments............: The virus contains string 'expl0de!'.
                      The virus probably appeared with some other support
                      stuff that will be analyzed if we get it.
                      Author of this virus in love with
                      the longword $DEADF00D.

--------------------- Agents -------------------------------------------

Countermeasures.....: -
above Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Pawlowice, Poland  25.1.2001
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 25.1.2001
Information Source..: Virus disassembly
Copyright...........: This documentation is public domain

===================== End of Expl0de virus =======================


 This archive has been send to all the antivirus programers.....


 Thanx to Patrick Ford for the info and sending the files to us..


   Regards....
      __          Jan Andersen          E-Mail..:  vht-dk@post4.tele.dk
 __  ///          ------------             FidoNet.:  2:237/38.100
 \\\///        Virus Help Denmark             AmyNet..: 39:140/127.100
  \XX/            www.vht-dk.dk                  VirNet..: 9:451/247.0




Virus Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht-dk.dk