FISH #6 Virus

 


             *********************************************

             ***   Reports collected and collated by   ***

             ***            PC-Virus Index             ***

             ***      with full acknowledgements       ***

             ***            to the authors             ***

             *********************************************



  FISH #6 Virus

  =============


  The names of several fish also appear within the virus code:


     "COD SHARK CARP BASS TROUT FIN MUSKY SOLE FISH PIKE MACKEREL

      FISH TUNA FISH FI"


  FISH is based on 4096 with which it shares an ability to 'hide' from

  DOS-based utilities by subverting the operating system.


  Unlike 4096, it is variably encrypted and it is also encrypted - but

  in a different way - when it is in memory.


  Additionally, like 1260, it also contains 'confusion' code to

  discourage disassembly.  In consequence, it was not initially

  apparent to many observers how it intended to manifest itself.


  Its damage mechanism and strike criteria are now known but the

  reports that another virus - WHALE (qv) - is capable of modifying it

  have not been substantiated.



                ============== more ===============


===== Computer Virus Catalog 1.2: FISH #6 Virus (12-February-1991) ===

Entry...............: FISH #6 Virus

Alias(es)...........: FISH-6 = European Fish Virus

Virus Strain........: 4096 = 4K = FroDo = Stealth strain

Virus detected when.: October 1990

              where.: Bonn/Germany ???

Classification......: Program (extending), RAM-resident, stealth virus

Length of Virus.....: .COM & .EXE files: length increased by 3584

                      bytes in RAM:  4096 bytes.


-------------------- Preconditions -----------------------------------

Operating System(s).: MS-DOS

Version/Release.....: 2.xx upward

Computer model(s)...: IBM-PC, XT, AT and compatibles

-------------------- Attributes --------------------------------------

Easy Identification.: ---

Type of infection...: System: Allocates a memory block at the high end

                         of memory. Finds original address of Int 21h

                         handler and original address of Int 13h hand-

                         ler, therefore bypasses all active monitors.

                         Inserts a JMP FAR to virus code inside origi-

                         nal DOS handler.

                      .COM & .EXE files: program length increased by

                         3584. A file will only be infected once.

                         Files with READ-ONLY attribute set can be in-

                         fected; files with SYSTEM attribut set will

                         not be infected (e.g.IBMBIO.COM, IBMDOS.COM).

                      COMMAND.COM is the first file, which will be in-

                         fected in an non infected system.

Infection Trigger...: Files are infected if function 4B00H (Load/Exe-

                         cute) or function 3EH (Close File) of MS-DOS

                         is called and if last three bytes of file-

                         name sum-up to either 223 (COM) or 226 (EXE),

                         and if free diskspace is >16384 bytes.

Interrupts hooked...: INT21h, through a JMP FAR to virus code inside

                         DOS handler;

                      INT01h, during virus installation & processing

                      INT13h, INT24h during infection.

Damage..............: Permanent Damage: a message will be displayed:

                      "FISH VIRUS #6 - EACH DIFF - BONN 2/90

                      '~Knzyvo}'" and then the processor stops (HLT

                      instruction).

Damage Trigger......: If (system date>1990) and a second infected .COM

                      file is executed.

Particularities.....: 1. The virus is encrypted in memory and on disk.

                      2. Summing-up the last 3 bytes of the filename

                         for determining .COM and .EXE files for in-

                         fection will also include more than 1200

                         other extensions such as .BMP,.MEM,.OLD,.PIF,

                         .QLB for .COM-files and .LOG,.TBL for .EXE-

                         files and filenames without extension, e.g.

                         READCOM. , TESTFAX. , TEXTOLD. Therefore,

                         virus code will be appended to datafiles

                         (e.g.  when using "TYPE TEXTOLD", file

                         TEXTOLD will be infected).

                      4. Only files with id="MZ" or id="ZM" get

                         infected as .EXE.

                      5. If virus is not in memory, infected data

                          files are corrupted.

                       6. Infected files get a new date 100 years

                          ahead:  (newyear:=oldyear+100); e.g

                          1991+100=>2091, but with DIR, the new date

                          is not visible.

                      7. Do not use "CHKDSK /F" in an infected system,

                         as files get damaged (crosslinked-sectors).

                      8. If the system is infected, the virus

                         redirects all file accesses so that the virus

                         itself can not be read from the file (stealth

                         technique).

                      9. Find first/next function returns are tampered

                         so that files with (year>100) are reduced by

                         3584 bytes in size.

                      10.Get/set filedate is also tampered.

                         Remark: the reference to "Bonn" built-into

                         the message (see damage) has lead to the

                         assump- tion that FISH#6 was originated in

                         this Ger- man town; a similar assumption has

                         been made for the related WHALE=MOTHER FISH

                         virus due to a string "Hamburg" appearing in

                         its code.  There is *no forther evidence*

                         that both variants of 4096 originated in

                         Germany; the mentioned strings more probably

                         are built-in to masquerade the origin

                         (Russian: MASKIROWKA)


Similarities........: FISH 6 is an optimized 4096 virus as it inherits

                         most of the technology of the 4096 virus.

                         The string '~Knzyvo}' meaning "TADPOLES"

                         is also found in WHALE=MOTHERFISH virus.

--------------------- Agents -----------------------------------------

Countermeasures.....: Cannot be detected on disk while in memory, so

                         no monitor/file change detector can help.


Countermeasures successful:

                      1) A Do-it-yourself way (see 4096 virus):

                         Infect system by running an infected file,

                         ARC/ZIP/LHARC/ZOO all infected .COM and .EXE

                         files, boot from uninfected floppy, and

                         UNARC/UNZIP/LHARC E etc. all files. Pay

                         special attention to disinfection of

                         COMMAND.COM.


                      2) FINDVIRU 1.6    (Solomon)

                      3) F-FCHK   1.12+  (F. Skulason)

                      4) SCAN     6.3V72 (McAfee)

                      5) My NTIFISH6.EXE is an antivirus that only

                         looks for FISH 6 virus, and if requested will

                         restore the file.


Standard means......: Only sucessful if virus is not in memory!

                         Boot from an uninfected write-protected disk

                         and check century of files (with proper

                         tool).


--------------------- Acknowledgement --------------------------------

Location............: Virus Test Center, University Hamburg, Germany

Classification by...: Stefan Tode

Documentation by....: Stefan Tode

Date................: 12-February-1991

Information source..: see: "Virus Bulletin" (also: see 4096)


===================== End of FISH-6 Virus ============================



  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

  ++++++++++++++++++++++++++ end of reports ++++++++++++++++++++++++

  ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Comments

Post a Comment

Popular posts from this blog

BOTTOM LIVE script

                                  BOTTOM                                   ======                     by Adrian Edmondson and Rik Mayall                                 Bottom Live                                 ===========                               Richie  Rik Mayall                                Eddie  Adrian Edmondson Introduction ------------ [Opening shot of theatre, with huge pictures of Richie and Eddie. Caption: "Live from the Mayflower Theatre, Southampton".] Vox Pop 1:  So I'm hoping that this is a lot ruder than the TV, because             they can get away with it. [Cut to Ade's dressing-room door. It opens to reveal a clothes rail, its only contents a brown jacket.] Vox Pop 2:  I just think they're ace, you know, absolutely excellent. [Cut to dressing-gown, pan across a pair of glasses and a revolver.] Vox Pop 3:  It couldn't be too rude, I mean that's what young people want. [Rik's dressing-room door.]
Read more

Fawlty Towers script for "A Touch of Class"

Fawlty Towers A Touch of Class Written by John Cleese and Connie Booth First of first series, first broadcast on September 19, 1975 on BBC2 Transcribed by Jason R. Heimbaugh (jrh@uiuc.edu) on October 10, 1993 Basil Fawlty  John Cleese Sybil Fawlty  Prunella Scales Manuel        Andrew Sachs Polly         Connie Booth Major Gowen   Ballard Berkeley Miss Tibbs    Gilly Flower Miss Gatsby   Renee Roberts Lord Melbury  Michael Gwynn Danny Brown   Robin Ellis Sir Richard   Morris Martin Wyldeck Mr Watson     Lionel Wheeler Mr Wareing    Terence Conoley Mr Mackenzie  David Simeon               [The Fawlty Towers reception lobby. The main entrance is at the               back, with the stairs to the right. The entrance to the dining               room is in the right wall; on the left, the reception desk               running along the left wall, with the entrance to the office               behind it. The entrance to the bar is beyond the desk.] Basil         [on th
Read more