$Id: f_mirc.txt,v 1.94 2020/09/19 11:22:25 ralph Exp $
Format: Plain text (not yet ASCII-DOC), UTF8, Windows CR+LF, 80 chars max. per line
___________.__ .___ _____ .__
\_ _____/|__| ____ __| _// \ |__|______ ____
| __) | |/ \ / __ |/ \ / \| \_ __ \_/ ___\
| \ | | | \/ /_/ / Y \ || | \/\ \___
\___ / |__|___| /\____ \____|__ /__||__| \___ >
\/ \/ \/ \/ \/
Introduction
What is Anti-virus Software?
Anti-virus software helps protect your computer against known viruses, worms, Trojan horses, and other unwanted invaders that can make your computer "ill". Computer viruses are much the same as biological viruses, they attach themselves to programs or hosts and replicate themselves repeatedly, however the hosts take the form of USB drives, email attachments or files rather than living organisms. However, in this case, it’s worse than the flu. Viruses, worms, Trojans and the like often perform malicious acts, such as deleting files, accessing personal data, or using your computer to attack other computers, spread to other computers or simply replicate and interfere with your system, making it unstable or more vulnerable to attacks. A program that is able to detect viruses is called a virus scanner.
FindMirc is both a very fast signature scanner and a so-called heuristics scanner. It can detect virus mutations; it will search for Trojans, fun and joke programs, scripts viruses (VBS, HTML etc.), IRC worms, malware and dropper programs. FindMirc is able to disassemble and decrypt files using a software emulator. This generic detection, called heuristic analysis, is a technique that makes it possible to detect unknown viruses by searching for suspicious command sequences instead of relying on any signature. FindMirc is therefore able to detect suspicious instructions, abnormal sequences and the detection of still unknown viruses!
What is FindMirc?
FindMirc is a scanner that is able to detect script viruses, worms, viruses and malware. This include IRC worms (.INI), batch files (.BAT), Java script (.JS, .JSE), visual basic script (.VBS, .HTML, .SHS, .VBE), Trojans, backdoor, mail worms, spy-ware, key loggers, viruses (.EXE, .SHS, .SCR etc.) and other script worms like .CS and .WBT infectors. FindMirc uses additionally heuristic scan engines and can find and qualify yet unknown viruses! For example was FindMirc able to detect the VBS.Love_Letter virus family using the heuristic scan engines!
About/History
Version 2.00 is ported from DOS (16 bit) to Windows (32 bit) allowing FindMirc to use long file names on all Win32 platforms. Furthermore the code is now portable and is able to run under Linux (32/64 bit) and other operating systems! As a trade off of using the new 32 bit compiler, the generated code is slower on Windows than the DOS 16 bit code! The Linux versions are super fast!
|
Note
|
Please note that starting with F_Mirc version 7.00 a DOS32 version is no longer available, only a stripped down DOS16 version as a dual bound executable (delivered with the Win32 EXE file)! |
Version 3.00 is compiled for Pentium MMX CPUs and better and WILL NOT run on a 486 or Pentium CPU without MMX support!
Version 4.00 has the option -log and -logall as well as we added basic detection for Win32 Trojans, Backdoor and other malware (currently around 2000 signatures).
Version 4.50: Added the Trojan scan engine from VSP and RHBVS (~4000 viruses).
See below "History for more details"
FindMirc is Freeware by ROSE SWE. All Rights Reserved!
Different Operating System
FindMirc is available for different operating system. When you start FindMirc a banner with the program version, build number and target platform is printed.
E.g.:
----=[ F_Mirc/Win32 4.52-1077 - IRC, VBS & Script Worm Detector ]=-------------
^ ^ ^
Platform -------/ | |
Program version -----/ |
Build --------------------/
Different Computing Platforms
The following platforms are currently supported
-
Win32 - Windows console, runs under Win95/98/ME, NT, 2000 & XP etc., Pentium required. Long file names (LFN) supported on all platforms.
-
DOS32 - runs under Win32 + DOS, Pentium required, for DOS an DPMI extender is required. Long file names supported under Windows 98, 2000 & XP and better. Skipped starting with the 6.52 release, but available upon request.
-
DOS16 - runs under Win32 + DOS, 386 CPU required, no extender required, but limited in Trojan/Backdoor detection due to insufficient memory! No LFN support at all! Skipped with the 6.xx versions (use DOS32 version instead) as a separate/standalone program. See the "dual bound" documentation for details and how to use the DOS16 version.
-
Linux - runs under 2.6.x and higher kernels. LFN under native Linux and (32/64) mounted Win32/FAT/NTFS supported. Requires a Pentium. Fasted platform! The 64 bit Linux version needs a COREAVX2 or better CPU and a AVX2 or better co-processor!
Build Schema
The build number is a unique increasing number that is incremented with each build of FindMirc. A higher build number means a newer program version.
Known Bugs/To Do
1.) The command line engine can not handle spaces, e.g. -log="C:\Documents and Settings..." will currently NOT work!
2.) DOS Entry Point versus Windows EP may report "Corrupted MS-DOS Header! Size=10.992, EP=157.686"
3.) List option (-list=filename) was reported to be buggy under Linux
Return/Error Codes
0 all OK, nothing found 4 One of the signatures files is damaged or the access is denied! 5 viruses found 6 can not change to directory 7 on line help (maybe wrong parameters) 8 file not found, e.g. virscan.*
11..18 DOS/Windows error, please report it to ROSE SWE! xx Internal error, please report it to ROSE SWE!
Command line Parameters
Run F_Mirc with the option -? to see all current supported command line arguments!
Notes on parameter usage
Customers familiar with the American or UNIX parameter syntax (minus sign) instead of the slash ( / ) can also use the minus sign ( - ) to start an option. Under Linux the use of the minus sign for command line arguments is mandatory!
Example: -all is equivalent to /ALL
|
Note
|
There must be at least one blank between the individual arguments! The arguments are not case sensitive. |
The environment variable F_Mirc
Instead of always calling F_Mirc with arguments, F_Mirc can be controlled with a so-called environment variable. For example, enter the following at the DOS prompt:
SET F_Mirc=/cde -log
If you start F_Mirc now, F_Mirc reads all required arguments from the variable. This assumes that the FindMirc binary is named f_mirc.exe
Rollback of preset values
Sometimes it might be desired to reset already set options (i.e. set by SET F_Mirc=…) This can simply be done by a minus sign following the option on the command line. With this action the option is being switched off.
For example, you have entered the following:
SET F_Mirc=/all
Then start F_Mirc with the following argument:
F_Mirc c: /all-
In this case the command line option overrides the option set by the environment variable! Command line always override environment options.
Suggested parameters for virus scanner testing
For testing F_Mirc against other virus scanners we suggest the following options:
F_Mirc directory_to_scan -all -log=vtc_13062004.log -logall -logdel
|
Note
|
Long file names in the command line are supported WITHOUT spaces! |
Output when F_Mirc found a virus
|
Tip
|
Starting with version 7.30 of F_Mirc the output of found malware was changed to the following schema: |
/home/.../Koniec.432.A.exact.com Unknown: Type_FileOpen.D5CA-5769 /home/.../Konkoor.1844.A.exe Infection: Konkoor.1844.A /home/.../HTML.Phish.BBR.html Warning: Generic.JScript.Encrypted! /home/.../Cracky.596.com Note: Corrupted MS-DOS Header! Size=596, EP=25.937
-
Unknown = Detected by a heuristic detection module. Chances are high that this could be a new virus!
-
Infection = Detected virus/malware with the name of the malware
-
Warning = Unusual file format or obscure file structure
-
Note = File is damaged
Speed
The following tests where made on a Pentium MMX 200 PC with Win-NT 4, SP6a
test bed: 6.969 files, (448 MB)
Compiler Files Found Time (seconds) fpc 1.0.6/win32 6969 337 187 fpc 1.0.6/dos32 6969 337 550 tp 6.0/dos16 6969 337 157 (!) vpc 2.1/win32 6969 337 176
Included Files
F_Mirc_*.EXE FindMirc - virus scanner. Win32 console
version and 32 bit version for DOS (requires a DPMI host).
Hint: older FindMirc/16 is protected by HackStop 1.28, if you
encounter problems to execute FindMirc16.EXE let us know!
F_Mirc.key License file for FindMirc. FindMirc is free for non commercial
users. If you want to use FindMirc in a commercial environment,
please send an email and we will provide you a personal key file
for 10 Euro.
VIRSCAN.WSM Signature database to detect VBS/JS viruses (Windows Scripting Malware)
VIRSCAN.IRC Signature database to detect Batch/ISS/IRC-Worm viruses
VIRSCAN.TRJ Signature database to detect Trojans, viruses, Backdoor and malware
LINUX\ Ported version for Linux
SRC4LINUX\ Source (and if included object code) for Linux
CONTRIB\
MAKEWORM.BAT Creates WormList.TXT
WORMLIST.TXT Sorted and unified list of known (not all) script worms and
malware to FindMirc
--------------------------------------------------------------------------
Files included in older releases - we skipped them in the latest releases
--------------------------------------------------------------------------
RHBVS.LOG Log (with full name) of the tested samples (for reference).
Same output like FindMirc - may be missing due to save some
space!
\RFW\
FindMirc.DAT files for RFW (ROSE FILE WEEDER), containing checksums of
FindMirc.LST the current samples we have tested.
-> RFW c:\mydir -base=FindMirc.dat -all -log [-del -whatever]
mIRC-worms.html A short description of script worms in HTML (deprecated)
History
_ _ _ _
| | | (_)___| |_ ___ _ __ _ _
| |_| | / __| __/ _ \| '__| | | |
| _ | \__ \ || (_) | | | |_| |
|_| |_|_|___/\__\___/|_| \__, |
|___/
In chronological order
19.09.2020 7.32 Added detection for 2.400 viruses. Fixed a few false positives
07.09.2020 7.30 Added detection for 1.100 viruses. Added four new
heuristic modules. Found viruses are now logged
differently (see above).
Added the option -csv to create a comma separated values
file "f_mirc.csv".
01.09.2020 7.20 Added detection for 8.200 viruses. Small updates.
06.05.2020 7.19 Added detection for 2.300 viruses. 7.18 = internal release
28.03.2020 7.17 Added detection for 2.100 viruses. Small updates.
04.12.2019 7.16 Added detection for 3.800 viruses. Small updates.
19.08.2019 7.15 Added detection for 1.700 viruses
08.05.2019 7.14 Added detection for 1.000 viruses.
28.03.2019 7.13 Added detection for 3.000 viruses.
25.03.2019 7.12 Added new viruses. Small enhancements.
27.11.2018 7.11 Added 6.000 viruses!
20.09.2018 7.10 Added 24.000 viruses!
24.08.2018 7.06 Added around 1000 viruses. Small enhancements.
20.04.2018 7.05 Added +3500 viruses
17.04.2018 7.04 Added +1400 viruses. Released.
24.03.2018 7.03 Released.
10.02.2018 7.02 Added hundreds of new viruses.
17.12.2017 7.01 Added ~ 13.000 viruses.
29.11.2017 7.00 Added ~ 35.000 viruses. The format of the Trojan
database changed and isn't compatible with pre 7.00
versions anymore.
27.11.2017 6.54 New viruses added. Public release.
07.09.2017 6.53 Added 3951 viruses. Public release.
16.05.2017 6.52 New viruses (also 332 WannaCry variants) added!
16.02.2017 6.50 New viruses (+3400)
08.04.2016 6.46 New viruses.
27.12.2015 6.45 Updates, new viruses.
21.01.2015 6.44 Updates, new viruses etc.
20.12.2013 6.42 New viruses added. Added a heuristic for generic
encrypted JavaScript viruses. Expect false positives.
23.10.2013 6.41 viruses added. Enhancements for the Linux64 version
03.03.2013 6.40 +8000 viruses, enhancements, changed home page URL
6.3x internal versions, +3000 viruses
19.11.2012 6.28 +7000 viruses, small enhancements e.g. logfile
04.11.2012 6.25 +2100 viruses, small enhancements.
28.05.2011 6.24 +200 viruses, small enhancements.
03.02.2011 6.23 viruses added. Run-time error fixed. Fixes for logfile
under Linux.
16.04.2010 6.22 +333 viruses added.
13.04.2010 6.21 +680 viruses added.
04.04.2010 6.20 +300 viruses added. Added a icon to the exe file.
14.03.2010 6.18 Maintenance release. ++1000 viruses added.
20.10.2009 6.16 Maintenance release.
03.04.2009 6.15 Bug fixes and enhancements, scanning speed up.
18.11.2008 6.13 Bug fixes. Enhancements. New viruses added. Dox
updated, etc.
11.09.2006 6.12 Updated F_Mirc against current ITW list.
Key file changes (.key = keyfile, .ini = settings)
17.11.2005 6.11 Virus database updated.
20.03.2005 6.10 Database format changed. New viruses added.
25.11.2004 6.03 Small enhancements, new viruses
16.09.2004 6.02 Additional "Suspect" warning is issued when F_Mirc
had found a virus in a non executable file.
Scanning time is now displayed in hh:mm:ss format.
07-08.2004 6.00 Complete redesign of the scanning engines.
13.06.2004 5.72 Added 430 new viruses. Fixed a few bugs in the VBS, IRC
and Batch virus detection engine.
11.05.2004 5.70 Added around 400 new viruses.
10.02.2004 5.61 Pressing Escape to stop scanning should now work
from "everywhere". Added around 120 new viruses.
20.01.2004 5.58 Fixed -log= & -logall bug. Fixed wrong -file= comment
11.01.2004 5.57 beta releases
09.09.2003 5.56 beta releases for testers. 714 viruses added!
::
06.09.2003 5.50 Ported ten engines to Linux and included them into
FindMirc. Changes option -h to -help. Added option
-HEUR to enable heuristic mode scanning.
03.09.2003 5.02 31+44 new viruses
12.08.2003 5.01 49 new viruses, especially IWorm.LovSan/MSBlaster
11.08.2003 5.00 added AVR_Mini, AVR_boot, AVR-CryptCom, AVR_FamR,
AVR_CallNull etc. to detect small DOS+boot viruses
10.08.2003 4.53 194 new viruses, small enhancements and bug fixes
05.08.2003 4.52 150 new viruses, added Compiler+OS detection unit
23.07.2003 4.51 Bug fixes and new option -logdel
16.07.2003 4.50 Trojan scan engine added
08.07.2003 4.10
27.02.2003 4.00
17.03.2002 2.51
21.04.2002 2.21
11.03.2002 2.11 Linux port
18.01.2001 2.00 Win32 port
Some Scan Tests
Done on my F_Prot collection (no dupes/unique viruses)
f_mirc . -all -log
Version Files//Detected 5.50-248 53.262//26.538 (49.8%) ----| 5.50-251/-HEUR 53.262//36.684 (68.9%) | 5.56beta-270 53.262//27.252 (51.2%) <---/ + 714 5.72 37.650//19.449 (51.7%)
Copyright
©opyright by ROSE SWE (ALL RIGHTS RESERVED!)
__________ ________ ____________________ ___________ _____________
\______ \\_____ \ / _____/\_ _____/ / _____/ \ / \_ _____/
| _/ / | \ \_____ \ | __)_ \_____ \\ \/\/ /| __)_
| | \/ | \/ \ | \ / \\ / | \
|____|_ /\_______ /_______ //_______ / /_______ / \__/\ / /_______ /
\/ \/ \/ \/ \/ \/ \/
-------------------------------------=-----------------------------------
ROSE SWE See ROSEBBS.TXT for
Dipl.-Ing. Ralph Roth full address, FAX and PGP keys.
http://rose.rult.at
rose_swe@hotmail.com All Rights Reserved!
-------------------------------------=-----------------------------------
Credits
In alphabetical order
Alex Pettinger Andreas Haak Andreas Marx Florian Eichelberger Joe Hartmann Joerg Adinghoff Patrick Jansen Terry Toh tbb (the Byte Bandit)
you?
Computer Viruses and Malware - A Short Overview
A computer virus is a piece of code (software) that is installed on a computer either by a hacker, by another compromised computer (replication), malicious attachments/mails or a website (drive-by infection). It performs functions that the computer owner does not authorize and does not want.
Viruses are sometimes also referred to as malware. This is usually where they have adverse effects on the computer user, such as logging each keystroke (through a keylogger), audio recording or snapshots of each screen.
Such infection can lead to identity theft, endangerment of bank or purchase card data or loss of confidential data. It is more likely to occur on home computers that are normally not as security managed as corporate computers.
Malware
Malware, or malicious software, is a generic term for a variety of malicious or intrusive software, including computer viruses, worms, Trojans, ramsomware (ransoms), spyware, adware, scareware and other malicious programs. It can take the form of executable code, scripts, active content and other software. Malware is defined by its malicious intent, which violates the requirements of the computer user - and therefore does not include software that causes unintentional damage due to a defect.
Programs officially delivered by companies can be considered malware if they secretly violate the interests of the computer user.
(Computer) Virus
A computer virus is a type of malicious software program ("malware") that, when executed, replicates itself by modifying other computer programs and appending or inserting its own code. When this replication succeeds, the affected programs are then said to be "infected" with a computer virus.
The term "virus" is also commonly, but erroneously, used to refer to other types of malware. "Malware" encompasses computer viruses along with many other forms of malicious software, such as computer "worms", ransomware, spyware, adware, Trojan horses, keyloggers, rootkits, bootkits, malicious Browser Helper Object (BHOs) and other malicious software. The majority of active malware threats are actually Trojan horse programs or computer worms rather than classic computer viruses.
(Computer) Boot Virus
Boot viruses are the oldest known computer viruses. These viruses were the most common form of viruses until 1995, but are now extinct. Nowadays there are almost no boot sector viruses any more, because BIOS and operating systems usually have a well-functioning software or hardware protection.
A boot virus is a computer virus that becomes active when the computer starts (boots) before the operating system (DOS, Linux or Windows) is fully loaded. Boot sector viruses exploit the fact that the boot sector is always loaded first. On floppy disks, the virus is at least partially in the boot sector, so that even floppy disks that do not contain any files can be infected. On hard disks, the virus infects the master boot record (MBR) or in the logical boot sector.
A boot sector virus infects the boot sector of floppy disks and the master boot record (MBR) of a hard disk. The boot sector is the first physical part of a floppy disk and one sector (512 bytes). The boot sector is used by boot floppies to boot from the floppy disk. If a user wants to boot from an infected boot floppy or forgets an infected floppy disk in the floppy drive when the computer starts, the BIOS accesses this sector and executes it with the appropriate BIOS boot setting. The virus then attempts to infect the MBR of the hard disk each time the computer starts. When an infected computer starts, the MBR, which is normally responsible for recognizing the different partitions on the hard disk, is loaded. The now loaded virus remains in memory and monitors access to floppies. When a diskette is inserted into a computer infected with a boot sector virus, the virus infects the boot sector of the diskette.
Known boot viruses are the form virus, Parity Boot and Boot-437.
Multipartite Virus
A multipartite virus is a computer virus that infects and spreads in multiple ways. The term was introduced to describe the first viruses that included DOS executable files and PC BIOS boot sector virus code, where both parts are viral themselves. Prior to the discovery of the first of these, viruses were categorized as either file infectors or boot infectors. Because of the multiple vectors for the spread of infection, these viruses could spread faster than a boot or file infector alone.
Trojan horses
A Trojan horse is a program that does something undocumented which the programmer intended, but that users would not accept if they knew about it. By some definitions, a virus is a particular case of a Trojan horse, namely, one which is able to spread to other programs (i.e., it turns them into Trojans too). According to others, a virus that does not do any deliberate damage (other than merely replicating) is not a Trojan. Finally, despite the definitions, many people use the term "Trojan" to refer only to a non-replicating malicious program.
Ramsomware
Ransomware is a particularly invasive form of malware that takes a victim’s data or device and holds it hostage (or displays bogus claims of illegal activity, porn usage or suggests that a system is already infected with viruses) until a sum of money is handed over in order to secure its release. Ransomware has existed since around 1989, in the form of the “DOS-AIDS” Trojan (aka PC Cyborg) which encrypted files on a hard drive and then demanded a payment of $189 to unlock them again. Ramsomware had become in the last few years a significant and global threat.
Malicious Mining Software (Crypto-Miner)
Starting in 2018 Malware authors are increasingly relying on malicious mining software. This year for the first time there have been more infections of this type than with ransomware. More and more online criminals seem to turn their backs on Ramsonware and rely on crypto-miner. They secretly dig crypto money on infected computers - Monero is particularly popular. This is obviously extremely lucrative, as the latest figures show.
Reasons for the turnaround? If a ransomware/Trojan strikes and encrypts data from victims, they usually have to pay a ransom in the form of bitcoins. This is an obstacle that not every victim can or will take. Crypto-miner, on the other hand, only needs to infect computers. Afterwards, they dig in secret without any sacrifices and make silently sure that they bring the authors big profits - and not too short when you look at the exploding prices of different crypto currencies.
Scam
Any means of cheating or misleading a person and gaining their trust or receiving information to which the cheater is not entitled.
Spyware
Spyware is a type of computer virus that hides on your computer or mobile device, records your private data and sends that information back to whoever created it or monitors it. The tricky thing about spyware, and what separates it from the growing threat of ransomware is the fact that, spyware is designed to both install discretely and operate silently in the background.
Backdoors
A point of access to a hidden program/system. Backdoors are usually intentionally created by a programmer for debugging or maintenance purposes, but if compromised, they can pose a security risk to unauthorized users or software, allowing access and causing damage. Malware often installs Backdoors on compromised systems!
Botnets
A bot is a programs that run automated tasks over the Internet. Botnets are collection of bots that run autonomously and automatically. Typically they perform repetitive tasks at a much higher rate than a human is capable of. They can be used for malicious purposes, such as denial of service attacks or infecting other computers. An infected computer is called a bot or zombie.
Macro viruses
A macro is a piece of code that can be embedded in a data file. A macro virus is thus a virus that exists as a macro attached to a data file. In most respects, macro viruses are like all other viruses. The main difference is that they are attached to data files (i.e., documents) rather than executable programs. Document-based viruses are, and will likely continue to be, more prevalent than any other type of virus.
Worms
Worms are very similar to viruses in that they are computer programs that replicate functional copies of themselves (usually to other computer systems via network connections) and often, but not always, contain some functionality that will interfere with the normal use of a computer or a program. Unlike viruses, however, worms exist as separate entities; they do not attach themselves to other files or programs. Because of their similarity to viruses, worms also are often referred to as viruses.
Stealth viruses
What is a stealth virus? A stealth virus is one that, while active, hides the modifications it has made to files or boot records. It usually achieves this by monitoring the system functions used to read files or sectors from storage media and forging the results of calls to such functions. This means that programs that try to read infected files or sectors see the original, uninfected form instead of the actual, infected form. Thus the virus’s modifications may go undetected by antivirus programs. However, in order to do this, the virus must be resident in memory when the antivirus program is executed, and the antivirus program may be able to detect its presence.
The very first DOS virus, Brain, a boot-sector infector for example monitored physical disk input/output and redirected any attempt to read a Brain-infected boot sector to the disk area where the original boot sector was stored.
File stealth viruses
In addition to hiding the boot information, DOS file stealth viruses attack .com and .exe files when opened or copied, and hide the file size changes from the DIR command. The major problem arises when you try to use the CHKDSK/F command and there appears to be a difference in the reported files size and the apparent size. CHKDSK assumes this is the result of some cross-linked files and attempts to repair the damage. The result is the destruction of the files involved.
Full stealth viruses
With a full stealth virus, all normal calls to file locations are cached, while the virus subtracts its own length so that the system appears clean.
Countermeasures against Stealth Viruses?
You need a clean system so that no virus is present to distort the results of system status checks. Thus you should start the system from a trusted, clean, bootable diskette before you attempt any virus checking.
Encryption
One method of evading malware detection is to use simple encryption to encipher (encode) the body of the malware, leaving only the encryption module and a static cryptographic key in cleartext which does not change from one infection to the next.
What is a polymorphic virus?
A polymorphic virus is one that produces varied but operational copies of itself. This strategy assumes that virus scanners will not be able to detect all instances of the virus. One method of evading scan-string driven virus detectors is self-encryption with a variable key. Polymorphic code was the first technique that posed a serious threat to virus scanners.
More sophisticated polymorphic viruses (e.g., V2P6) vary the sequences of instructions in their variants by interspersing the decryption instructions with "noise" instructions (e.g., a No OPeration instruction (NOP), or an instruction to load a currently unused register with an arbitrary value), by interchanging mutually independent instructions, or even by using various instruction sequences with identical net effects (e.g., Subtract A from A, and Move 0 to A). A simple-minded, scan-string based virus scanner would not be able to reliably identify all variants of this sort of virus; in this case, a sophisticated scanning engine has to be constructed after thorough research into the particular virus.
One of the most sophisticated forms of polymorphism used so far is the Mutation Engine (MtE) or the Trident Polymorph Engine (TPE), which comes in the form of an object module. With such mutation engines, any virus can be made polymorphic by adding certain calls to its assembler source code and linking to the mutation-engine and random-number generator modules.
The advent of polymorphic viruses has rendered virus scanning an increasingly difficult and expensive endeavor; adding more and more search strings to simple scanners will not adequately deal with these viruses.
What is an armored virus?
Armored viruses use special tricks to make the tracing, disassembling, and understanding of their code more difficult. A good example is the Whale virus.
What is Phishing/Vishing?
Phishing is when a 3rd party tricks an user into giving information in an email or by a phone call (vishing).
Links / Pointers
Some viruses that were very widespread
Cascade
The Cascade virus (also known as Herbstlaub in Germany) is a prominent DOS computer virus that is a memory resident virus written in assembly language. Cascade was widespread in the 1980s and early 1990s. It infected DOS .COM files and had the effect of making text on the screen cascade down and form a heap at the bottom of the screen. It was notable for using an encryption algorithm to avoid being detected. However, one could see that infected files had their size increased by 1701 or 1704 bytes. In response, IBM developed its own antivirus software.
The virus has a number of variants. Cascade-17Y4, which is reported to have originated in Yugoslavia, is almost identical to the most common 1704 byte variant. One byte has been changed, probably due to a random "mutation". This, however, has resulted in a "bug" in the virus. Another mutated variant is also known - it infects the same file over and over.
Jerusalem
Jerusalem is a DOS virus first detected in Jerusalem, in October 1987. On infection, the Jerusalem virus becomes memory resident (using 2kb of memory), and then infects every executable file run, except for COMMAND.COM. COM files grow by 1,813 bytes when infected by Jerusalem and are not re-infected. .EXE files grow by 1,808 to 1,823 bytes each time they are infected. The virus re-infects .EXE files each time the files are loaded until they are too large to load into memory. Some .EXE files are infected but do not grow because several overlays follow the genuine .EXE file in the same file. Sometimes .EXE files are incorrectly infected, causing the program to fail to run as soon as it is executed.
The virus code itself hooks into interrupt processing and other low level DOS services. For example, code in the virus suppresses the printing of console messages if, for example, the virus is not able to infect a file on a read-only device such as a floppy disk. One of the clues that a computer is infected is the mis-capitalization of the well-known message "Bad command or file name" as "Bad Command or file name".
The program contains one destructive payload that is set to go off on Friday the 13th, all years but not in 1987. On that date, the virus deletes every program file that was executed. Jerusalem is also known as BlackBox because of a black box it displays during the payload sequence. If the system is in text mode, Jerusalem creates a small black rectangle from row 5, column 5 to row 16, column 16. The rectangle is scrolled up by two lines.
As a result of the virus hooking into the low-level timer interrupt, PC-XT systems slow down to one fifth of their normal speeds 30 minutes after the virus has installed itself. The slowdown is less noticeable on faster machines. The virus contains code that enters a processing loop each time the processor’s timer tick is activated.
Symptoms also include spontaneous disconnection of workstations from networks and creation of large printer spooling files. Disconnections occur since Jerusalem uses the interrupt 21h low-level DOS functions that Novell Netware and other networking implementations required to hook into the file system.
Jerusalem was initially very common (for a virus of the day) and spawned a large number of variants. However, since the advent of Windows, these DOS interrupts are no longer used, so Jerusalem and its variants have become obsolete.
/* End of Document */