| Alias: | |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | EXE-infector, Master-boot record (HD) infector |
| Length: | 3 kilobyte(s) |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | |
| Computer model(s): | PC's |
| Caroname: | Tequila |
Attributes | |
| Easy identification: | |
Type of Infection: | FILES: Appending, uses length from EXE header to position virus. Selfrec in memory: INT 21h/AX=FE02h -> AX=01FDh Selfrec on disk: file[12h..13h] {checksum} is one of a set of32 possible values |
| Infection Technique: | |
| Infection Trigger: | FindFirstFCB, FindNextFCBINFECTION_CRIT: Filetype = EXE,EXEloadSize = EXEfileSize,"SC" not in Filename,"V" not in Filename |
| Storage Media affected: | Harddisks |
| Interrupts hooked: | 13h, 1Ch, 21h/11h, 21h/12h, 21h/FE02h, 21h/FE03h |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient: Low-res fractal displayed on screen,Text message from authors displayed Permanent: None |
| Damage Trigger: | Transient: Infected program run on same day of month as wheninfection occurred, but 3 or more months later. Permanent: n/a |
| Particularities: | Virus destroys last 6 sectors of first DOS partitionlisted in the partition table Displayed text: "Welcome to T.TEQUILA's latest production.Contact T.TEQUILA/P.o.Box 543/6312 St'hausen/SwitzerlandLoving thoughts to L.I.N.D.ABEER and TEQUILA forever ! ""Execute: mov ax, FE03 / int 21. Key to go on!" Tequila might be described as action-packed for theanti-virus researcher. It's got plenty of "features".Tequila has mild armouring: the decryption code is alsothe decryption key; setting a breakpoint outside thedecryptor fails because the breakpoint instructiongets altered; setting one inside the decryptor beforecontrol is returned to the decrypted code causes errorsin the decryption.It's bipartite, infecting the MBR and .EXE files; it usestracing to find the INT 13h entry point; it has stealth,to hide both the infected partition record and theincrease in size of infected .EXEs; it is polymorphicwhen infecting files (though not polymorphic in the MBR).One of its transient damage routines is to compute anddisplay a low-resolution fractal. The fractal displayis enabled when an infected program is run more thanthree months after it was infected on the same day ofthe month it was hit. Three programs later, the fractalappears on program termination.Files with "SC" or "V" in their name are left alone;files treated with a certain integrity self-checkroutine (apparently) have the self-check trashed.When infecting the MBR, Tequila searches the MBRpartition table for the first DOS partition. Thesize of this partition is shrunk by 6 sectors, andthese 6 sectors are used as a hiding place by thevirus. Anything previsouly in those sectors is lostforever.Tequila marks the timestamp of infected files with avalue of 62 in the seconds field. This is used by itsstealth routines to decide, during directory searcheswith FindFirstMBC/FindNextMCB, when to subtract 2468bytes from the reported file size. No stealthing ofactual file access is performed, however.Anything else you fancy? Ah yes -- the virus evenprovides an interrupt call which will instruct it todescribe itself. Issuing INT 21h, AX=FF03h willproduce the "T.TEQUILA" message above.The author or authors must have been relatively young.*No-one* can drink Beer and Tequila forever! |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Paul Ducklin |
| Documentation by: | Paul Ducklin |
| Date: | |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg