home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!charon.amdahl.com!pacbell.com!sgiblab!zaphod.mps.ohio-state.edu!caen!umeecs!hela.iti.org!cs.widener.edu!dsinc!netnews.upenn.edu!netnews.cc.lehigh.edu!news
- From: bontchev@fbihh.informatik.uni-hamburg.de (Vesselin Bontchev)
- Newsgroups: comp.virus
- Subject: Re: Info on Commander Bomber and Starship? (PC)
- Message-ID: <0005.9211171913.AA17490@barnabas.cert.org>
- Date: 16 Nov 92 14:08:56 GMT
- Sender: virus-l@lehigh.edu
- Lines: 59
- Approved: news@netnews.cc.lehigh.edu
-
- tck@bend.ucsd.edu (Kevin Marcus) writes:
-
- > Yeah, please post up a description.
-
- The virus is a memory resident COM file infector. File size increases
- by 4096 bytes. The installation check ("Are you there?") is INT
- 21h/AX=424Fh; if it returns 4D42h in AX, this means that the virus is
- resident. The virus infects on file execution only; not on copying.
- True Execs are intercepted (AX=4B00h), which means that no overlays
- will be infected. The virus is not encrypted and contains two plain
- text strings: "COMMANDER BOMBER WAS HERE" and "[DAME] [DAME]". The
- "COMMAND" part of the first string is used to check the names of the
- infected files - the virus refuses to infect a file, the name of which
- begins like that. Therefore, the file COMMAND.COM will not be
- infected. The virus does not infect files smaller than 5120 bytes. The
- type of the file is checked (both MZ and ZM checks are performed) and
- only true COM-type files are infected. The date and the time of the
- infected files are preserved, but the attributes are not. The ReadOnly
- attribute will not stop the virus from infecting the file, although it
- will remain turned off after the infection.
-
- Well, essentially, this is all. All of the viral code, that is. It
- occupies about 560 bytes. The remaining is code aimed to conceal the
- virus entry point. The virus can reside anywhere in the COM file.
- Furthermore, it consists of about a dozen tiny parts and one main
- body. The tiny parts do essentially nothing - just a few insignificant
- instructions and then transfer control to the next part. The
- generation of these parts is very polymorphic; meaning that they can
- be -very- different from one infected file to another. The main part
- is not even encrypted, which means that it can be detected with a
- simple (even not a wildcard) scan string, but in order to do this, the
- scanner must scan the -whole- file (which slows down the scanning
- considerably). Smart tricks like scanning at the file entry point, or
- at the beginning and at the end of the file only, do not work with
- this virus.
-
- The second string found in the virus suggests that Dark Avenger
- (because he is the author of this Commander Bomber virus) intends to
- combine it with the MtE polymorphic mechanism for variable encryption.
- Detecting MtE with a scanner now is a nightmare, even if you know that
- the file entry point points to it. Detecting an MtE-based virus with
- the MtE-generated decryptor which can reside just anywhere in the file
- will be a double nightmare, if you care not to produce any false
- positives... Fortunately, it is not so easy thing to do...
-
- It is is obvious that the Commander Bomber virus is yet another
- "demonstration" virus, like Dedicated. It is an attempt to show that
- known-virus scanners can be made obsolete. It is also a buggy virus -
- due to some reasons (not clear to me yet), the virus crashes after
- some infections. Other than that, there is no destructive payload in
- it (or any other payload for that matter).
-
- Regards,
- Vesselin
- - --
- Vesselin Vladimirov Bontchev Virus Test Center, University of Hamburg
- Tel.:+49-40-54715-224, Fax: +49-40-54715-226 Fachbereich Informatik - AGN
- < PGP 2.0 public key available on request. > Vogt-Koelln-Strasse 30, rm. 107 C
- e-mail: bontchev@fbihh.informatik.uni-hamburg.de D-2000 Hamburg 54, Germany
-
