Virus Database

USTC.7680

Description USTC.7680

It is a very dangerous memory resident multipartite polymorphic virus. The virus infects the MBR of the hard drive and writes itself to the end of COM and EXE files. It is encrypted not only in files and MBR, but in the system memory also. Most of virus routines are encrypted, the virus decrypts them in case of need, executes and then encrypts.
While infecting the MBR the virus saves the original MBR sector to 16th sector on the first disk track and writes its main code from the MBR sector till 15th sector of first track. While infecting files the virus writes several blocks of junk code to the middle of file. It does it similar to "OneHalf" multipartite virus, but "USTC" virus' polymorphic engine is more complex. In that junk code the virus also uses anti-debugging tricks.
When an infected file is executed, the virus decrypts its code, infects the MBR if the hard drive, hooks INT 13h, 21h and stays memory resident. On loading from infected MBR the virus hooks INT 8, 13h, waits for some time (until DOS is installing itself) and then releases INT 8 and hooks INT 21h.
By hooking INT 13h the virus realizes its stealth routine that hides virus code on the first track. By hooking INT 21h the virus intercepts files that are copied or modified and infects them, i.e. the virus does infect new files or when file's data/code are changed. As a result the virus fools anti-virus CRC-checkers. The virus has a bug - it does not checks file name extension, but internal file format only, and infects not only COM and EXE but also data files.
Depending on its internal counter the virus pauses booting from infected MBR and waits for "CAPSL" input. The virus contains the text string:
3.0 1996.10 USTC

Check other viruses! Be aware! Use Antiviral Software

Linux.Rike.1627

Description Linux.Rike.1627
Rike is a non-dangerous nonmemory resident parasitic virus. It searches for Linux executable files in the current directory, then writes itself to the middle of the file. It's size is 1627 bytes and is written in the Assembler programming language.
The Rike virus uses low level Linux functions when working with files: SYS CALLS INT 80h. While infecting a file the virus scans sections with the attribute SHT_PROGBITS. Rike increases the size of the last section and writes itself to the free space. Next, the virus inserts a Jump command to the Entry Point address.
The virus writes its label to the ELF header. The label is the string "RIKE".

Linux.RST

Description Linux.RST

This text was written by Costin Raiu, Kaspersky Labs, Romania
This is a Linux virus that also implements several backdoor facilities, allowing an attacker to take control of the system infected with it in case the virus has been executed on account with root priviledges. The virus infects all the Linux binary executables in the current directory and the /bin directory, and listens to the first network card 'eth0' as well on the first PPP connection interface, and 'ppp0' for special packets sent in the EGP communication protocol. Whenever such a special package arrives, the virus allows the attacker to take control of the system with a root shell.
The virus will also attempt to create two new devices in the /dev directory, named "/dev/hdx1" and "/dev/hdx2", and tries to access a Web page on the ns1.xoasis.com web server.
Technical details:
The viral part works by attaching itself to normal ELF executables, patching their header, and moving the entrypoint to the viral code. At the same time, the virus relocates all the data found after the original host code to the end of its own code. It is interesting to note that the virus also performs an anti-debugging check by seeing whether the current process is 'ptrace'-ed. If so, it will immediately terminate execution. If not, the virus looks for all the files in the current directory, and attempts to infect them. After this, it will also attempt to infect all the files in the '/bin' directory, which under normal conditions will only work if the infected program has been run under an account with higher privileges. There is no attempt in the viral code to exploit any Linux vulnerabilities in order to obtain higher access when the virus is run on a normal user account.
The backdoor part of the virus attempts to create two new devices named "/dev/hdx1" and "/dev/hdx2", and if the creation succeeds, it checks for the existence of the two standard network interfaces 'eth0' or 'ppp0', and attempts to set them into "promiscuous" mode. It also attempts to create an "Exterior Gateway Protocols" (EGP) raw socket, and put it into listening mode.
When a special EGP IP packet arrives, the virus will check whether the 23rd byte in the data-packet is 0x11, then it will check for the presence of a specific password, as a 3-byte string at the offset 0x2a in the buffer. If these two conditions are met, the backdoor will check for a "command" byte, which is either 1 or 2 - if the "command" byte is "1", it will spawn a standard "/bin/sh" shell, which the attacker can control on the remote system.
Two strings can be seen inside the virus, but they are not used anywhere in the code. These strings are "snortdos" and "tory".

Home