"Advent" Virus

 


             *********************************************

             ***   Reports collected and collated by   ***

             ***            PC-Virus Index             ***

             ***      with full acknowledgements       ***

             ***            to the authors             ***

             *********************************************


 

====== Computer Virus Catalog 1.2: "Advent" Virus (15-Feb-1990) =======


Entry.................. "Advent" Virus

Alias(es).............. ---

Strain................. Syslock/Macho Virus Strain

Detected: when......... Autumn 1988

          where........ Federal Country of Rheinhessen, FR Germany

Classification......... Program Virus (Link virus)

 Length of Virus........ 2761 - 2776 (dec) bytes appended on

                               paragraph boundary


------------------------ Preconditions--------------------------------

Operating System(s).... MS/PC-DOS

Version/Release........ 3.00 and upwards

Computer models........ All IBM PC compatibles.


-------------------------- Attributes---------------------------------

Easy identification.... Beginning on every "Advent" (the time period

                             beginning at the 4th sunday before

                             Christmas until Christmas eve), the

                             virus displays after every "advent

                             sunday" one more lit candle in a wreath

                             of four, together with the string

                             "Merry Christmas" and plays the melody

                             of the German Christmas song "Oh Tannen-

                             baum". By Christmas all four candles are

                             lit. This happens until the end of Decem-

                             ber, when an infected file is run.


Type of infection...... The virus infects both COM and EXE files.

                        EXE files: it checks the checksum in the EXE

                             header for 7CB6h, in which case no in-

                             fection will occure.

                        COM files:  are checked by looking for the

                             string 39,28,46,03,03,01 (hex) at offset

                             10h.  The virus is not RAM resident,

                             therefore it will only infect when the

                             host is run.  It infects by searching

                             through the directories on the current

                             drive and randomly choosing files and

                             directories to infect or search.  It will

                             not infect any other drive.  It will

                             infect COMMAND.COM.


Infection trigger...... Virus will infect any time it is run.


Media affected......... All disks that are addressable using

                             standard DOS functions, as long as it is

                             the current drive.


Interrupts hooked...... ---


Damage................. Transient damage: displayed picture, melody

                             (see Easy Identification)


Damage trigger......... Every time the host is run.


Particularities........ The virus checks for the environment variable

                             "VIRUS=OFF", in which case it will not

                             infect. The virus encrypts itself using a

                             variable key.  The virus will only do its

                             transient damage after 1-Nov-1988.


Similarities........... Macho/Syslock: much of the code is identical,

                             including the startup code. This means

                             that Advent will be identified as Syslock

                             by many scanning programs.  Advent seems

                             to be the precursor to Macho and Syslock

                             (though detected later).


---------------------------- Agents-----------------------------------

Countermeasures........ Use the environment variable described

                             above as a first aid measure only. If

                             your COMMAND.COM in infected, that wont

                             stop the virus much.  Resetting the date

                             will only stop the damage, not the

                             infection.

                        Here's one of the few strings that can safely

                             be searched for:

                             50,51,56,BE,59,00,B9,26,08,90,D1,E9,8A,

                             E1, 8A,C1,33,06,14,00,31,04,46,46,E2,F2,

                             5E,59; it should be noted, however, that

                             this string will also identify Syslock

                             and Macho.

                        There is no scanning method that will tell

                             the 3 apart. "NTIADVEN" uses a checksum.


 - ditto - successful.. For proper treatment, my Anti-Virus "NTIADNEN"

                             is highly recommended (in all humility).

                             Treatment by hand is very tedious and

                             only recommendable for experts.


Standard Means......... Booting from a write-protected disk and resto-

                             ring all COM and EXE files from the ori-

                             ginal disks.


----------------------- Acknowledgements------------------------------

Location............... Virus Test Center, University of Hamburg, FRG

Classification by...... Morton Swimmer

Documentation by....... Morton Swimmer

Date................... December 10, 1989

Information source..... "The Peter Norton Programmer's Guide to the

                             IBM PC" (1985), and members of our group.

                             Also thanks to V-COMM for producing

                             "Sourcer" and making my life easier.




======================= End of "Advent" Virus ========================



  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Comments

Post a Comment

Popular posts from this blog

BOTTOM LIVE script

                                  BOTTOM                                   ======                     by Adrian Edmondson and Rik Mayall                                 Bottom Live                                 ===========                               Richie  Rik Mayall                                Eddie  Adrian Edmondson Introduction ------------ [Opening shot of theatre, with huge pictures of Richie and Eddie. Caption: "Live from the Mayflower Theatre, Southampton".] Vox Pop 1:  So I'm hoping that this is a lot ruder than the TV, because             they can get away with it. [Cut to Ade's dressing-room door. It opens to reveal a clothes rail, its only contents a brown jacket.] Vox Pop 2:  I just think they're ace, you know, absolutely excellent. [Cut to dressing-gown, pan across a pair of glasses and a revolver.] Vox Pop 3:  It couldn't be too rude, I mean that's what young people want. [Rik's dressing-room door.]
Read more

Fawlty Towers script for "A Touch of Class"

Fawlty Towers A Touch of Class Written by John Cleese and Connie Booth First of first series, first broadcast on September 19, 1975 on BBC2 Transcribed by Jason R. Heimbaugh (jrh@uiuc.edu) on October 10, 1993 Basil Fawlty  John Cleese Sybil Fawlty  Prunella Scales Manuel        Andrew Sachs Polly         Connie Booth Major Gowen   Ballard Berkeley Miss Tibbs    Gilly Flower Miss Gatsby   Renee Roberts Lord Melbury  Michael Gwynn Danny Brown   Robin Ellis Sir Richard   Morris Martin Wyldeck Mr Watson     Lionel Wheeler Mr Wareing    Terence Conoley Mr Mackenzie  David Simeon               [The Fawlty Towers reception lobby. The main entrance is at the               back, with the stairs to the right. The entrance to the dining               room is in the right wall; on the left, the reception desk               running along the left wall, with the entrance to the office               behind it. The entrance to the bar is beyond the desk.] Basil         [on th
Read more