FISH #6 Virus

 


             *********************************************

             ***   Reports collected and collated by   ***

             ***            PC-Virus Index             ***

             ***      with full acknowledgements       ***

             ***            to the authors             ***

             *********************************************



  FISH #6 Virus

  =============


  The names of several fish also appear within the virus code:


     "COD SHARK CARP BASS TROUT FIN MUSKY SOLE FISH PIKE MACKEREL

      FISH TUNA FISH FI"


  FISH is based on 4096 with which it shares an ability to 'hide' from

  DOS-based utilities by subverting the operating system.


  Unlike 4096, it is variably encrypted and it is also encrypted - but

  in a different way - when it is in memory.


  Additionally, like 1260, it also contains 'confusion' code to

  discourage disassembly.  In consequence, it was not initially

  apparent to many observers how it intended to manifest itself.


  Its damage mechanism and strike criteria are now known but the

  reports that another virus - WHALE (qv) - is capable of modifying it

  have not been substantiated.



                ============== more ===============


===== Computer Virus Catalog 1.2: FISH #6 Virus (12-February-1991) ===

Entry...............: FISH #6 Virus

Alias(es)...........: FISH-6 = European Fish Virus

Virus Strain........: 4096 = 4K = FroDo = Stealth strain

Virus detected when.: October 1990

              where.: Bonn/Germany ???

Classification......: Program (extending), RAM-resident, stealth virus

Length of Virus.....: .COM & .EXE files: length increased by 3584

                      bytes in RAM:  4096 bytes.


-------------------- Preconditions -----------------------------------

Operating System(s).: MS-DOS

Version/Release.....: 2.xx upward

Computer model(s)...: IBM-PC, XT, AT and compatibles

-------------------- Attributes --------------------------------------

Easy Identification.: ---

Type of infection...: System: Allocates a memory block at the high end

                         of memory. Finds original address of Int 21h

                         handler and original address of Int 13h hand-

                         ler, therefore bypasses all active monitors.

                         Inserts a JMP FAR to virus code inside origi-

                         nal DOS handler.

                      .COM & .EXE files: program length increased by

                         3584. A file will only be infected once.

                         Files with READ-ONLY attribute set can be in-

                         fected; files with SYSTEM attribut set will

                         not be infected (e.g.IBMBIO.COM, IBMDOS.COM).

                      COMMAND.COM is the first file, which will be in-

                         fected in an non infected system.

Infection Trigger...: Files are infected if function 4B00H (Load/Exe-

                         cute) or function 3EH (Close File) of MS-DOS

                         is called and if last three bytes of file-

                         name sum-up to either 223 (COM) or 226 (EXE),

                         and if free diskspace is >16384 bytes.

Interrupts hooked...: INT21h, through a JMP FAR to virus code inside

                         DOS handler;

                      INT01h, during virus installation & processing

                      INT13h, INT24h during infection.

Damage..............: Permanent Damage: a message will be displayed:

                      "FISH VIRUS #6 - EACH DIFF - BONN 2/90

                      '~Knzyvo}'" and then the processor stops (HLT

                      instruction).

Damage Trigger......: If (system date>1990) and a second infected .COM

                      file is executed.

Particularities.....: 1. The virus is encrypted in memory and on disk.

                      2. Summing-up the last 3 bytes of the filename

                         for determining .COM and .EXE files for in-

                         fection will also include more than 1200

                         other extensions such as .BMP,.MEM,.OLD,.PIF,

                         .QLB for .COM-files and .LOG,.TBL for .EXE-

                         files and filenames without extension, e.g.

                         READCOM. , TESTFAX. , TEXTOLD. Therefore,

                         virus code will be appended to datafiles

                         (e.g.  when using "TYPE TEXTOLD", file

                         TEXTOLD will be infected).

                      4. Only files with id="MZ" or id="ZM" get

                         infected as .EXE.

                      5. If virus is not in memory, infected data

                          files are corrupted.

                       6. Infected files get a new date 100 years

                          ahead:  (newyear:=oldyear+100); e.g

                          1991+100=>2091, but with DIR, the new date

                          is not visible.

                      7. Do not use "CHKDSK /F" in an infected system,

                         as files get damaged (crosslinked-sectors).

                      8. If the system is infected, the virus

                         redirects all file accesses so that the virus

                         itself can not be read from the file (stealth

                         technique).

                      9. Find first/next function returns are tampered

                         so that files with (year>100) are reduced by

                         3584 bytes in size.

                      10.Get/set filedate is also tampered.

                         Remark: the reference to "Bonn" built-into

                         the message (see damage) has lead to the

                         assump- tion that FISH#6 was originated in

                         this Ger- man town; a similar assumption has

                         been made for the related WHALE=MOTHER FISH

                         virus due to a string "Hamburg" appearing in

                         its code.  There is *no forther evidence*

                         that both variants of 4096 originated in

                         Germany; the mentioned strings more probably

                         are built-in to masquerade the origin

                         (Russian: MASKIROWKA)


Similarities........: FISH 6 is an optimized 4096 virus as it inherits

                         most of the technology of the 4096 virus.

                         The string '~Knzyvo}' meaning "TADPOLES"

                         is also found in WHALE=MOTHERFISH virus.

--------------------- Agents -----------------------------------------

Countermeasures.....: Cannot be detected on disk while in memory, so

                         no monitor/file change detector can help.


Countermeasures successful:

                      1) A Do-it-yourself way (see 4096 virus):

                         Infect system by running an infected file,

                         ARC/ZIP/LHARC/ZOO all infected .COM and .EXE

                         files, boot from uninfected floppy, and

                         UNARC/UNZIP/LHARC E etc. all files. Pay

                         special attention to disinfection of

                         COMMAND.COM.


                      2) FINDVIRU 1.6    (Solomon)

                      3) F-FCHK   1.12+  (F. Skulason)

                      4) SCAN     6.3V72 (McAfee)

                      5) My NTIFISH6.EXE is an antivirus that only

                         looks for FISH 6 virus, and if requested will

                         restore the file.


Standard means......: Only sucessful if virus is not in memory!

                         Boot from an uninfected write-protected disk

                         and check century of files (with proper

                         tool).


--------------------- Acknowledgement --------------------------------

Location............: Virus Test Center, University Hamburg, Germany

Classification by...: Stefan Tode

Documentation by....: Stefan Tode

Date................: 12-February-1991

Information source..: see: "Virus Bulletin" (also: see 4096)


===================== End of FISH-6 Virus ============================



  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Comments

Post a Comment

Popular posts from this blog

BOTTOM LIVE script

                                  BOTTOM                                   ======                     by Adrian Edmondson and Rik Mayall                                 Bottom Live                                 ===========                               Richie  Rik Mayall                                Eddie  Adrian Edmondson Introduction ------------ [Opening shot of theatre, with huge pictures of Richie and Eddie. Caption: "Live fro...
Read more

Evidence supporting quantum information processing in animals

              Evidence supporting quantum            information processing in animals                    James A. Donald                    1068 Fulton Av                    Sunnyvale, CA 94089-1505                    USA I show that quantum systems can rapidly solve some problems for which finite state machines require a non- polynomially large time. This class of problems is closely related to the class of problems that animals can solve rapidly and effortlessly, but are intractable for computers by all known algorithms. 1. Introduction      Animals, including very simple animals, can rapidly and effortlessly perceive objects, whereas computers take nonpolynomial time to do this by all...
Read more

ARMIES OF CHAOS

                          ARMIES OF CHAOS -      Before anyone proposes more gun control, he or she should know  about a simple, deadly weapon 4 times as powerful as Dirty Harry's  legendary .44 Magnum -- and at least twice as concealable -- that  _can't_ controlled.        This simple, deadly weapon can be made by anyone -- even a  child -- with unpowered hand tools in an hour's time using $5 worth  of materials, most of which are available around the house anyway.   In traditional form it's reusable an unlimited number of times, and  modern plastics have rendered its disposable version electronically  undetectable.  You can clear a room with such a weapon (more of a  hand-held directional grenade than a gun -- sort of a recycleable  Claymore mine) and it's just one of hundreds of similar time-proven  designs. ...
Read more