-----BEGIN PGP SIGNED MESSAGE----- ......................... VIRUS HELP DENMARK ..................... -------------------- 10 April 2001 Hi All.... A new linkvirus has been found. At this time the installer for this new linkvirus is not known, and at this time only "Safe v15.1 SE", is abel to find the virus, but not the installer. Here is what we know at this time (Text from Zbigniew): I call the linkvirus temporarily Bastard. The virus is polymorphic and hacks VirusCheckerII in memory to make it infect all files You check. The virus is very well coded as for the things we see these days. Virus adds it's code behind first code hunk and replaces first long of it with jump into decryptor. Decryptor is highly polymorphic, but can be easily detected due to lazyness of virus programmer. This decoder has static length, one layer, and few static important instructions. I think this engine is totally new but we saw many better ones in the past. To remove the virus we will need to decode the mainblock of virus, so recognition routine must be little bit improved. As always I have prepared such filerecog routine, but this time some additional work have to be done, to decode the virus. As far as I understand the code of virus the bes t way of decoding would be rewriting of the last word of the decoder with RTS and executing it. The decoding algo may become different to the version implemented by author of virus due to garbage instructions mixed with it. The installer of this virus is currently unknown. We will get back to you as soon as we know more about this one. Thanks to Zbigniew Trzcionkowski for Safe and the fast test... Regards.... __ Jan Andersen E-Mail..: vht-dk@post4.tele.dk __ /// ------------ FidoNet.: 2:237/38.100 \\\/// Virus Help Denmark AmyNet..: 39:140/127.100 \XX/ www.vht-dk.dk VirNet..: 9:451/247.0 ... Did you know, that the newest version of VirusExecutor is v15.1 SE - ------------------------------------------------------- Archive has been checked and a .sig file has been added so you can verify there was no tampering with the file after placed on the server. MD5SUMS and Readme PGP signed by: Charlene e-mail: ml-clm@mailandnews.com md5sum: ftp.vapor.com/pub/3rdparty/ [Start md5sum checksum file]----------------------- 45dc2fe6547aef48b606d18655f925d0 *file_id.diz 049c4afd282487dd231eb366638aa72d *VHT-DK.txt 2cceb28225654e38c5766fb00e52332e *VHT-DK96.TXT [End md5sum checksum file]----------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv Comment: Signed by Charlene, using PGPAmiga iQCVAwUBOtLsTfrh//oWbqdVAQGHmgP/cqHW/Ra1808Bfmi6DWkPNLHXCyTANpq0 Ap7/QYiWvO4ZwUAASqLNvev8nm0gjF4HxwtNPJMrVSOTVtSYhCdvMFbIq4iotB6S YYa/wuiiG4u58KWy0nedlxmhFzyKJUGc0fgFN2BPZD9XDU/wU2DX3egaf+OXNRTZ U9580L10WvI= =83vG -----END PGP SIGNATURE-----