......................... VIRUS HELP DENMARK .....................
Hi All.... 10.04.2001
A new linkvirus has been found. At this time the installer for this
new linkvirus is not known, and at this time only "Safe v15.1 SE",
is abel to find the virus, but not the installer.
Here is what we know at this time (Text from Zbigniew):
I call the linkvirus temporarily Bastard.
The virus is polymorphic and hacks VirusCheckerII in memory to make
it infect all files You check. The virus is very well coded as for
the things we see these days. Virus adds it's code behind first
code hunk and replaces first long of it with jump into decryptor.
Decryptor is highly polymorphic, but can be easily detected due to
lazyness of virus programmer. This decoder has static length, one
layer, and few static important instructions. I think this engine
is totally new but we saw many better ones in the past.
To remove the virus we will need to decode the mainblock of virus,
so recognition routine must be little bit improved. As always I
have prepared such filerecog routine, but this time some additional
work have to be done, to decode the virus. As far as I understand
the code of virus the bes t way of decoding would be rewriting of
the last word of the decoder with RTS and executing it.
The decoding algo may become different to the version implemented
by author of virus due to garbage instructions mixed with it.
The installer of this virus is currently unknown.
We will get back to you as soon as we know more about this one.
Thanks to Zbigniew Trzcionkowski for Safe and the fast test...
__ Jan Andersen E-Mail..: firstname.lastname@example.org
__ /// ------------ FidoNet.: 2:237/38.100
\\\/// Virus Help Denmark AmyNet..: 39:140/127.100
\XX/ www.vht-dk.dk VirNet..: 9:451/247.0