| Alias: | Tracker, SP, Willistrover III |
| Strain: | PHX strain |
| detected when: | |
| where: | |
| Classification: | COM and EXE infector, resident |
| Length: | 1 kilobyte(s) |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | (CPU >= 286) |
| Computer model(s): | PC's |
| Caroname: | PHX.965 |
Attributes | |
| Easy identification: | |
Type of Infection: | COM: The virus appends itself to the files EXE: Appending, uses length from EXE header to position virus. Selfrec in memory: INT_21;AX=B974 -> AX=2888 Selfrec on disk: Last three bytes of file are 28 08 93 |
| Infection Technique: | |
| Infection Trigger: | (Exec) and (LengthCOM < 0xFC00) and(LengthEXE == LengthImage + LengthHeader) |
| Storage Media affected: | |
| Interrupts hooked: | 21/4B, 21/3D02, 21/40, 21/B974 |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | - |
| Encoding Method: | |
| Damage: | Transient: Alters the "hour alarm" field in CMOS memory (byte 05).It's not clear whether or not this is intended as damage.(see also PERMANENT_DAMAGE) Permanent: Will sometimes flip the high-order bit of the firstbyte after the write buffer when an INT21/40 is done. This cancan cause almost any effect. |
| Damage Trigger: | Transient: Increments the byte whenever an infected program is runin a non-infected system. Permanent: Whenever the activation flag is set, and the hour-alarm byte isat least 0x80, and INT21/40 is done. The activation flag gets setwhen:- an environment variable beginning with "PHX" is present whena program is executed,- an INT21/3D02 is done, and the code following the INT21 call inthe caller contains one of three 32-byte strings,- when a program is executed, and an IN to port 0x03E4 returnsanything but 0xFF.{Sorry for the complexity; this is too much for me to express insymbols!} |
| Particularities: | shrinks the current MCB setting it to 'M', and makes a new 'Z' MCB in the released space. Virus uses Armouring. Not displayed text: PHX Contains PUSHA and POPA, as well as SHL and SHR by valuesother than 1 or CL. When operating on a victim file, appendsa "!" to the end of the name (so "FOO.COM" becomes "FOO.COM!"),presumably to fool resident anti-viral programs that look for"EXE\0" or "COM\0".(*Coments added by Fernando Bonsembiante based upon an analysisby Leandro Caniglia and Fernando Bonsembiante*)The "!" appending is attempted to fool MSAV and NAV.The new end MCB where the virus is located in memory is markedas owned by "SP" (System Program) Note that the correct valuewould be "SC" (System Code). That was corrected in te followingversion of the virus.The author handle is Armagedon, he is from the city of Rosario,Argentina. The name given by the author is "Tracker".The permanent damage is attempted to harm only a machine, or afew ones. It is targeted to a person in Rosario who wrote someprograms, the 32 byte strings searched by the program when anINT21/3D02 is called belongs to three programs written by thisperson. The port 0x03E4 returns a non 0xFF value when in themachine it's installed a card named 'Embrodery Design System'.That card is used as a copy protection by those programs,althrough it wasn't designed to that purpose. The string PHXin the environment is also a copy protection for other program.The self recognition in disk bytes (28 08 93) means the date08-28-93, in the format used in Argentina. It is the birthdayof the trageted person. That person was born in 1974, andthe self recognition in memory contains 0x74 in AX.(*End added comments*)This CAROBASE entry is hereby placed into the public domain. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | David M. Chess, HICLLeandro Caniglia, leandro@ubik.satlink.n |
| Documentation by: | David M. Chess, HICLFernando Bonsembiante, fernando@ubik.sat |
| Date: | 1993-10-08 |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg