Re: wirus

Autor: Slawomir Marczynski (slawek_at_arcadia.tuniv.szczecin.pl)
Data: Fri 28 Mar 1997 - 14:42:44 MET

• Następna wiadomość: worlin: "Re: BIOS"
• Poprzednia wiadomość: Slawomir Marczynski: "Re: wirus"
• W odpowiedzi na: Jarek Lis: "wirus"
• Wiadomości sortowane wg: [ datay ] [ wątku ] [ tematu ] [ autora ] [ załącznik ]

Jarek Lis (lis_at_spamfilter.ict.pwr.wroc.pl) wrote:

: Czy wiadomo wam cos na temat wirusa Burglar.1150 ?

: MKS wykrywa mi go na serverze Novell, w \login\login.exe,
: co mnie ciekawi o tyle ze plik wczesniej porownalem z drugim -
: zadnych roznic. Wlasciciel, data modyfikacji - wszystko prawidlowo.
: No ale usunal, i juz nie wykrywa.

Cytujac Data Fellows:
---------------------

   
   NAME: Burglar
   ALIAS: Grangrave
   TYPE: Stealth Resident EXE -files
   ORIGIN: Taiwan
   SIZE: 1150 This virus infect EXE programs when they are accessed or
   executed. In addition to that, Burglar searches for new victims and
   infects them when the 'file attribute change' function (used by
   ATTRIB) and 'get free disk space' function (used by DIR and many other
   commands) are called.
   
   Burglar has stealth features: it will hide the change in the size of
   the infected files when viewed with the DIR command.
   
   Every time the virus is infecting files, it checks the time. If the
   minute field is 14, the virus activates and writes a flashing message
   in the top left corner of the screen:
   
                Burglar/H

   The virus contains also an unencrypted text which is never showed:
   
                AT THE GRAVE OF GRANDMA

   Burglar has anti-heuristics mechanisms. Burglar checks for and does
   not infect Windows programs or programs which contain 'V' or 'S' in
   the file name (covering programs like VIRSTOP, SCAN, VSHIELD, MSAV,
   NAV, CPAV etc).
   
   Since Burglar is resident, a clean boot is necessary before
   disinfecting and infected hard drive. Burglar contains programming
   error, which cause it to occasionally corrupt EXE files. Such programs
   do not work and they can not be disinfected.
   
   Burglar contains several bugs, and it can cause problems with several
   memory managers.
   
   Burglar was found in the wild internationally in January 1996. It has
   been spread in an infected version of a demo called 'Dawn', in a
   copy-protect crack for a game called Dune 2 and in a pirated beta of
   PKLite v2.00.
   
   [Analysis by Peter Szor, Data Fellows Ltd's F-PROT Professional
   Support]
   
   All viruses listed in the Virus description pages can be detected and
   removed with F-PROT Professional Antivirus software.
   

--
Slawomir Marczynski (Mr) 
Institute of Physics, Technical University of Szczecin
Al. Piastow 48/49, 70-310 Szczecin, Poland
slawek_at_arcadia.inter.tuniv.szczecin.pl, tel:+(048-91)-494056 

• Następna wiadomość: worlin: "Re: BIOS"
• Poprzednia wiadomość: Slawomir Marczynski: "Re: wirus"
• W odpowiedzi na: Jarek Lis: "wirus"
• Wiadomości sortowane wg: [ datay ] [ wątku ] [ tematu ] [ autora ] [ załącznik ]

To archiwum zostało wygenerowane przez hypermail 2.1.7 : Tue 18 May 2004 - 15:59:24 MET DST