| Alias: | |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | COM and EXE infector |
| Length: | 7,856 BYTES |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | DOS>4.x |
| Computer model(s): | PC's |
| Caroname: | Pathogen.SMEG |
Attributes | |
| Easy identification: | |
Type of Infection: | The virus appends itself to the files Selfrec in memory: Int 21h func 18FF -> AX=e701h Selfrec on disk: Year+100 |
| Infection Technique: | |
| Infection Trigger: | EXEC (int 21h func 4B) |
| Storage Media affected: | |
| Interrupts hooked: | 21/18,4B,6C 13/ 20/ |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | the virus uses variable encryption with a variable decryptor. |
| Encoding Method: | |
| Damage: | Transient: Permanent: Random sector writes |
| Damage Trigger: | Permanent: DayofWeek=Monday Time=17:00:00 (unverified) |
| Particularities: | The virus uses INT3 for some of its functions Displayed text: As formatted below:"Your hard-disk is being corrupted, courtesy of PATHOGEN!Programmed in the U.K. (Yes, NOT Bulgaria!) [C] The Black Baron 1993-4Featuring SMEG v0.1: Simulated Metamorphic Encryption Generator!'Smoke me a kipper, I`ll be back for breakfast.....'Unfortunately some of your data won`t!!!!!",encryptedThis message is doubly encrypted. It is encrypted along with the bodyof the virus with the usual polymorphic decryption and then furtherencrypted with a simple NOT. The message remains in memory encrypted witha NOT. Not displayed text: "SMEG v0.1",encrypted but only with the initialencryption of the body of the virus. This string is visible in memory. This virus seems to be spreading rapidly in the UK. It is highlypolymorphic and uses a large number of irrelevant instructions betweenthe actual decypting code and uses a variety of techniques toimplement the transfer of control at the end of the loop. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Wolfgang Stiller |
| Documentation by: | Wolfgang Stiller |
| Date: | 1994-04-04 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg