Virus report

 


             *********************************************

             ***   Reports collected and collated by   ***

             ***            PC-Virus Index             ***

             ***      with full acknowledgements       ***

             ***            to the authors             ***

             *********************************************



  First Report on 1260, aka V2P1

  ==============================


  Other viruses in this family: V2P2, V2P6, V2P6Z, CASPER


  1260 which was reported in January 1990 introduced 'confusion' code

  as a method of discouraging disassembly and, since then, the

  technique is being increasingly copied.  See FLIP, FISH and

  particularly MOTHER FISH.


  1260 is largely based on VIENNA but the overwrite mechanism has been

  removed.


  The unencrypted stub on 1260 has been randomized to make detection

  even more difficult.


                        ++++ more ++++


====== Computer Virus Catalog 1.2: 1260 Virus (11-February-1991) =====

Entry................. 1260 Virus

Alias(e).............. Variable, Chameleon, Camouflage, Stealth, V2P1

Strain................ distantly related to Vienna strain

Detected: when........

          where.......

Classification........ Program Virus with direct action, COM infector

Length of virus....... 1260 Bytes

----------------------- Preconditions --------------------------------

Operating System(s)... MS-DOS

Version/Release....... 2.xx and upwards

Computer models....... IBM PC's and compatibles

------------------------Attributes -----------------------------------

Easy identification... The seconds field of the timestamp of any

                          infected program will be 62 seconds.

Type of infection..... Program virus with direct action. It only in-

                          fects files with COM extension. It replaces

                          first 3 bytes with a jump to the virus.

Infection trigger..... Execution of an infected file

Media affected........ The virus will infect any COM file in the

                          current directory.

Interrupts hooked..... INT 1 and INT 3 while virus is executing

Damage................ transient: ---

                       permanent: ---

Particularities....... The actual virus code is encrypted once over

                          the whole code, and various single bytes

                          are also encrypted throughout the virus.

                          These bytes are decrypted prior to exec-

                          ution, using its INT 3 (break point)

                          routine to decrypt, and its INT 1 (trace)

                          routine to encrypt. The encryption routine

                          used to decrypt the entire virus is obscur-

                          red by the addition of irrelevant instruc-

                          tions and by scrambling the order of the

                          instructions from infection to infection.

                          As a consequence of this stealth technique,

                          it is not possible to extract any scan

                          string from this virus at all.

Similarities.......... The virus is similar to Vienna virus, but

                          highly modified, to contain the encryption

                          methods described above.

----------------------- Acknowledgement ------------------------------

Location.............. Virus Test Center, University Hamburg, Germany

Classification by..... Morton Swimmer

Dokumentation by ..... Morton Swimmer

Date.................. 12-February-1991

====================== End of 1260 Virus =============================


======================================================================

==  For their outstanding support and continued help, we thank      ==

==  David Ferbrache (Edinburgh), Christoph Fischer (Karlsruhe),     ==

==  Yisrael Radai (Jerusalem), Fridrik Skulason (Rejkjavik) and     ==

==  Yuval Tal (Rehovot).                                            ==

==  Critical and constructive comments as well as additions are     ==

==  appreciated. Descriptions of new viruses are appreaciated.      ==

======================================================================

== The Computer Virus Catalog may be copied free of charges provided =

== that the source is properly mentioned at any time and location   ==

== of reference.                                                    ==

======================================================================

==  Editor:   Virus Test Center, Faculty for Informatics            ==

==            University of Hamburg                                 ==

==            Schlueterstr. 70,  D2000 Hamburg 13, FR Germany       ==

==            Prof. Dr. Klaus Brunnstein, Simone Fischer-Huebner    ==

==            Tel: (040) 4123-4158 (KB), -4175 (SFH), -4162(Secr.)  ==

==  Email (EAN/BITNET): brunnstein@rz.informatik.uni-hamburg.dbp.de ==

======================================================================



  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Comments

Post a Comment

Popular posts from this blog

WHAT THE WATCH TOWER BIBLE AND TRACT SOCIETY OF PENNSYLVANIA HAD TO SAY ABOUT WHAT WERE SUPPOSED TO HAVE HAPPENED in 1874

  AWAKEN                                                     Issue #33   1874 - WHAT THE WATCH TOWER BIBLE AND TRACT SOCIETY OF PENNSYLVANIA        HAD TO SAY ABOUT WHAT WERE SUPPOSED TO HAVE HAPPENED THEN.   This issue will comprise mainly of quotes from Watch Tower publications. Present day Jehovah's Witnesses are unlikely to be aware of any of this material. Why ? The Watch Tower had changed it's theology and does not bother to let it's followers know facts about the past especially since the present theology is totally contradictory to what was promoted in the past. Both sets of incompatible conjectures were promoted as being found  and proven in Scriptures. Prior to 1943 if a follower of the Watch Tower questioned any of the Watch Tower's teaching about 1874, that person risked getting kicked out of the group ...
Read more

Uninterruptable Power Source (UPS) FAQ

Article 61549 of news.answers: Xref: freenet.carleton.ca comp.misc:25723 comp.sys.hp.hardware:5708 comp.sys.sun.hardware:24796 comp.sys.sgi.hardware:9261 comp.sys.next.hardware:16000 comp.sys.dec:27561 comp.unix.admin:28511 comp.answers:8765 news.answers:33422 Path: freenet.carleton.ca!cunews!nott!bcarh189.bnr.ca!bcarh8ac.bnr.ca!bnr.co.uk!pipex!howland.reston.ans.net!news.cac.psu.edu!news.pop.psu.edu!hudson.lm.com!netline-fddi.jpl.nasa.gov!phoebe.jpl.nasa.gov!root From: ups@navigator.jpl.nasa.gov Newsgroups: comp.misc,comp.sys.hp.hardware,comp.sys.sun.hardware,comp.sys.sgi.hardware,comp.sys.next.hardware,comp.sys.ibm.hardware,comp.sys.dec,comp.unix.admin,comp.answers,news.answers Subject: Uninterruptible Power Source FAQ Followup-To: comp.misc Date: 10 Dec 1994 13:09:38 GMT Organization: Jet Propulsion Laboratory, Pasadena, CA Lines: 1346 Approved: news-answers-request@MIT.Edu Distribution: world Message-ID: <3cc9ai$fus@phoebe.jpl.nasa.gov> Reply-To: npc@minotaur.j...
Read more

Blade Runner FAQ

Archive-Name: movies/bladerunner-faq Version: 1.4 (May 1993) -------------------------------------------------------------------------------                                  BLADE RUNNER                            Frequently Asked Questions                        Copyright (C) 1993 Murray Chapman ------------------------------------------------------------------------------- Compiled by Murray Chapman (muzzle@cs.uq.oz.au), from sources too numerous to mention.  Thank-you one and all.                                INTRODUCTION                                ------------ The movie "Blade Runner"...
Read more