[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[exelist] Re: SUSPICOUS German Docs
Here you go.
JVP
--------------------------------
TEU
what do YOU want to crack today?
http://members.xoom.com/jvp/
------------------------------------------------------------------------
eGroup home: http://www.eGroups.com/list/exelist
Free Web-based e-mail groups by eGroups.com
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ ³
³ - S S C - ³
³ ³
³ HEURISTISCHE VIRENERKENNUNG UND ANALYSE ³
³ ³
³ ³
³ Teil des Antiviren-Programmpakets SUSPICIOUS ³
³ ³
³ (c) 1997 Stefan Kurtzhals ³
³ ³
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
[ ?bersicht der Meldungen von SSC ]ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Messages:
~~~~~~~~~
þ D - MODIFICATION / ACCESS ON FILES
P - ACCESS TO CHECKSUMFILES OF AV PROGRAMS
Some Viruses manipulate/delete check sum files of AV programs to
prevent early detection by those programs.
S - SEARCH FOR EXECUTABLE FILES (EXE/COM)
The program looks for EXE / COM files. Many viruses have such
a behaviour to look for victims, but also normal programs
contain such routines.
K - ACCES ON COMMAND INTERPRETER (COMMAND.COM)
The program accesses COMMAND.COM. That is a destination of many
viruses to get active after reboot. Some viruses prevent access
to COMMAND.COM to prevent hanging or early detection.
M - MODIFICATION OF EXISTING FILES
Found routines, that write or change file time /date or
attribute, so that is a hint that existing files will be
changed.
U - EXE/COM CHECK
The program tests files for .EXE or .COM-structures.
D - FILE DATE OR TIME AS MARKER
The program sets the seconds to 60+ or adds 100 years to the
file date. Many viruses mark their infected files like this.
þ S - DIRECT ACCESS TO SECTORS (DISKETTE / HARDDISK)
D - DIRECT HDD/FDD-ACCESS VIA INT 13h, INT 26h OR INT 40h
Normally only tools should use that type of access
(i.e. FORMAT, SPEEDISK, Caches).
I - SEARCH FOR DOS-INTERNAL DISK-BIOS INTERRUPT VECTOR
The program looks for the DOS-internal entry to BIOS and may
acces the hard disk directly. Some AV programs do that, but most
time viruses try to circumvent the AV programs.
B - ACCESS TO BOOT/PARTITION SECTOR
Found typical program part of MBR / Boot viruses that change
track 0, head 0 oder 1 und sector 1. This message can be found
for FDISK, FORMAT or similar programs too.
! - SUSPICIOUS BOOT/PARTITION SECTOR
The boot/partition sektor of floppy/hard disk seems to contain
a virus or is completely different to standard DOS partition-
or boot layout.
V - INVALID DIRECTORY ENTRIES
Many boot viruses place a copy at the end of the root dir
and overwrite directory entries. A program or data was found
on this position.
K - COPY OF BOOT SECTOR OR PARTITION
Boot- oder partition viruses somtimes put a copy of the original
sector in different sectors to access them later.
þ R - RESIDENT PROGRAMS
M - SEARCHES, USES OR CHANGES MCBS WITHOUT DOS-FUNCTIONS
The program searches or uses memory directly via [40:13] or
the MCB chain without calling DOS functions. Many resident
viruses use tha technique. But also programs like
MEM oder SYSINFO can cause that message.
K - COPYROUTINE (RAM)
Parts of the program are copied to different parts in memory.
Many resident viruses do that during installation.
A - CHAINING PROGRAM STARTS OR OPENING OF FILES
Many resident viruses occupy these DOS functions to infect files
which are started or opened.
S - RESIDENT PROGRAM (TSR)
The program stays active after termination.
W - DETECTION / DISABLING OF AV PROGRAMS
Some viruses disable AV programs to prevent alarms
(i.e. VSAFE, FLUSHOT, DATAMON).
E - REPLACED VECTOR FOR INTERRUPT 13H OR 21H
Many viruses copy iterrupt 13h or 21h to unused vectors to
get better access later and hide from resident virus blockers.
þ P - PROGRAM STRUCTURES
P - POLYMORPHE STRUCTUR
The program contains senseless or useless operations which are
often used by viruses to make detection harder.
V - ENCRYPTION (AT ENTRY POINT)
The program ist crypted and cannot be further analyzed. Many
viruses are crypted but also copy protected software like games.
v - ENCRYPTION (IN PROGRAM CODE)
The program contains some encryption later in program code.
U - UNDOCUMENTED INTERRUPT CALLS
The program uses unknown or undocumented DOS functions or ints.
Some memory resident programs use that technique to communicate
with the resident part but alsoe many resident viruses.
! - ILLEGAL OPCODE / BRANCH
The program contains illegal opcodes or jump destinations which
leave the program and lead to crash. Some viruses contain errors
and do incorrect infections.
E - ENDLESS LOOP (JUMP TO PROGRAM START)
The program start is called again which would lead to an endless
loop. The program must be modified in memory to prevent that.
Used by many COM-viruses.
R - RELOCATOR (VARIABLE JUMP)
The program jumps to a variabe adress in memory. Viruses can
detect the real program start during execution, normal programs
contain a relocation table.
F - FLEXIBLE PROGRAM ENTRY POINT
The program tests for its own code segment. 'Clean' programs do
not need to detect that. Above half of all viruses contain such
routine.
S - SOME JUMPS
Some jumps were found near the entry point. 'Clean' programs do
not have such parts.
T - "TUNNELING" / TRACE MODUS
The program uses single step modus. Normally only debuggers use
that, but also viruses to detect interrupt entry points. Could
also be a program that tries to prevent debugging.
2 - 80286 OPCODES
The program contains 286+ opcodes near the entry point. Normally
these are only executed after test for CPU type.
X - KNOWN / TYPICAL VIRUSCODE
The program contains code which is knon to be viral.
þ A - FILE STRUCTURE / ATTRIBUTES
D - SUSPICIOUS FILE DATE OR TIME
Invalid file time or date.
G - PADDED FILE SIZE
Some viruses pad the file length to multiples of 16, 32, 64, 128
or 256 to get certain entry point or as infection marker.
C - APPENDED PROGRAM CODE
The entry point is near the file end. That is typical for viruses
that copy their code to the file end.
V - HIDDEN FILE
The file is marked HIDDEN or SYSTEM. Could be a companion virus
that makes a .COM file with same name like .EXE file.
o - INTERNAL OVERLAYS / APPENDED DATA/PROGRAM PARTS
Size in header differs from real file size.
! - INVALID HEADER
The .EXE program differs from header values. Some viruses cause
that by incorrect infection.
E - WRONG EXTENSION
The program has a COM extension but is infact an EXE program.
i - IMMUNIZED
The program is immunized against viruses.
S - ODD OR INVALID PROGRAM STACK
The value of SP in header ist odd or SS is outside the occupied
memory. Many viruses are bad coded and insert invalid values to
program header.
k - COMPRESSION
The program was compressed with PKLITE, LZEXE oder similar. If
this is a new or unknown program it should be unpacked and checked
again for viruses.
T - VIRUSTEXT
The program contains the text "VIRUS", "DARK AVENGER" or other
text which is known to be from viruses.
w - WINDOWS OR OS/2 PROGRAM
The program is a wndows or OS/2 program. At the moment there are
just a few viruses that can infect such programs.
M - MODIFIED PROGRAM
The program was packed using PKLITE, LZEXE or similar but contains
unknown code before the known unpacking routine.
Zusammenfassung der Analysemeldungen (AM):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
þ Size (file write access) : xxxx
þ Size (programstart to file end) : xxxx
þ Size (program segment to file end) : xxxx
þ Virus infects .EXE programs
þ Virus infects .COM programs
þ Virus contains "COMMAND.COM"
þ Virus contains "PATH"
þ Virus infects boot sectors and/or partitions
þ Virus overwrites standard DOS-PSP
þ Virus makes .COM-programs with same name ("Companion")
þ Virus infects programs on open ("Fast Infector")
þ Virus infects programs on execution
þ Virus cathes openig of programs (Extended Open)
þ Virus catches creating programs
þ Virus catches debugging
þ Virus infects on DIR
þ Virus infects on setting file attributes
þ Virus infects on renaming
þ Virus infects programs in actual dir
þ Virus searches hard disk for programs
þ Virus infects only one file per run
þ Virus infects many files per run
þ Virus manipulates file start
þ Virus overwrites file end
þ Virus appends to file
þ Virus converts EXE to COM
þ Virus inserts JMP NEAR to program start
þ Virus inserts JMP REG to program start
þ Virus is crypted
þ Virus uses one step encryption
þ Virus is polymorph
þ Virus uses file -Stealthfunktionen (L?nge) (xxxx)
þ Virus uses file -Stealthfunktionen (Inhalt)
þ Virus uses file -Stealthfunktionen (Uhrzeit/Datum)
þ Virus uses file date as marker (year=2080+)
þ Virus uses file time as marker (sec=60+)
þ Virus uses file size as marker ("Padding")
þ Virus uses FCB-funktions to acces files
þ Virus checks for .EXE-Program header ("MZ")
þ Virus checks for .EXE-Program header ("ZM")
þ Virus uses "MZ"-marker, to prevent .EXE infection
þ Virus sets den program entry point in .EXE-Header to xxxxh
þ Virus sets program stack in .EXE-Header to xxxxh
þ Virus sets CRC-field in .EXE-Header to xxxxh
þ Virus does not change file date and time
þ Virus changes file date and time
þ Virus passes READ-ONLY, HIDDEN or SYSTEM file attribute
þ Virus cannot pass READ-ONLY, HIDDEN or SYSTEM attribute
þ Virus changes access mode of open files
þ Virus supresses write error messages
þ Virus supresses infection by <CTRL-C>
þ Virus checks for free disk space
þ Virus is resident
þ Virus is may be resident
þ Virus stays resident via DOS (xxxx)
þ Virus searches/changes MCB-chain (xxxx)
þ Virus marks MCB as SYSTEM
þ Virus lowers DOS-memory boundary (xxxx)
þ Virus overwrites memory at xxxx:yyyy
þ Virus is resident ind interrupt table
þ Virus uses DOS UMBs
þ Virus uses XMS UMBs
þ Virus uses INT xx
þ Virus uses undocumented interrupts (installation check) :
þ Virus uses INT 2Ah, to check for file access
þ Virus calls saved INT 21h direct (CALL FAR)
þ Virus gets interrupts by manipulating DOS-kernels
þ Virus checks for original interupt handler ("Tracer")
þ Virus checks for BIOS Disk-interrupt vector
þ Virus uses INT xxto replace INT 21h
þ Virus moves its code in memory (xxxx)
þ Virus uses Anti-debugging
þ Virus passes VSAFE/TSAFE
þ Virus passes FLUSHOT / VIREX
þ Virus passes DATAMON (PCTools)
þ Virus passes DISKMON (Norton)
þ Virus passes DATA GUARD
þ Virus passes NEMESIS
þ Virus passes TBSCANX
þ Virus works only on 8086 CPU
þ Virus works only on 80286+ CPU
þ Virus changes CMOS !
þ Virus creates files
þ Virus deletes files !
þ Virus renames files
þ Virus accesses speaker
þ Virus slows down the computer
þ Virus manipulates the keyboard or just some keys
þ Virus catches <CTRL-ALT-DEL>
þ Virus reboots
þ Virus manipulates printer
þ Virus writes text or changes graphics memory
þ Virus changes BIOS data area (keyboard, graphic, time)
þ Virus accesses AV programs
þ Virus checks system time
þ Virus checks system date
þ Virus contains text : xxxx
þ Virus overwrites sectors of hard or floppy disk
þ Virus formats sectors of hard or floppy disk
þ Virus uses extra tracks on disk
þ Virus uses sector(s) or root dir
þ Virus marks defect clusters
þ Virus uses sector(s) at the end of disk
þ Virus is similar to : xxxx
------------------------------------------------------------------------ZZZXXXZZZ
eGroup home: http://www.eGroups.com/list/exelist
Free Web-based e-mail groups by eGroups.com