| Alias: | |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | EXE-infector |
| Length: | N/A |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | None |
| Computer model(s): | PC's |
| Caroname: | Slowlite |
Attributes | |
| Easy identification: | |
Type of Infection: | The virus is of companion type. Selfrec in memory: n/a Selfrec on disk: Presence of companion file {see comments} |
| Infection Technique: | |
| Infection Trigger: | DirectActionINFECTION_CRIT: On Exec of an infected program, each directory onelevel below ROOT is scanned for .EXE files with a 1 in4 chance. Any .EXE thus found is hit with a 1 in 3chance. |
| Storage Media affected: | |
| Interrupts hooked: | INT 08h (payload) |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient: Empty "slowdown" loop installed into the TimerTick(INT 08h) chain Permanent: None |
| Damage Trigger: | Transient: Payload installed in memory if certain conditions are metduring the direct-action infection scan: if a directorybeing scanned for .EXE files contains six already-infectedfiles. Permanent: n/a |
| Particularities: | Because the virus renames the original .EXE and replacesthis .EXE with itself, programs which read criticaldata from their disc image will access the wrong file.Such programs will either detect this problem, and failto work, or ignore it and possibly crash. Displayed text: None Not displayed text: None Files being infected are renamed with a three-letterextension derived via a pseudo-random sequence seededby the last letter of the file name. The original.EXE file is then recreated, via the CreatFile call,and the virus written at the head of this file. Thefile is padded until it is the same size as theoriginal program.When an infected program is run, the virus isactually executed. It attempts to replicate viadirect action, and then Execs its renamed "companion"file.To prevent virus removal simply by renaming thecompanion files, the virus encrypts the first 500bytes of the companion by XORing them with a fixedbuffer. This encryption is undone before Exec, andreapplied afterwards.The companion file extensions are created like this:chr(ord('A'+random(26))) +chr(ord('A'+random(26))) +chr(ord('A'+random(26)))with randseed initialised to the value of the lastcharacter in the filename.The XOIR encrpytion block is the first 500 numbers toemerge from random(256) after initialising randseed to128. The random number generator code matches that ofTurbo Pascal 5.5 -- if not exactly, at least in function-ality. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Paul Ducklin |
| Documentation by: | Paul Ducklin |
| Date: | |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg