VSUM denial time :)
+-----------------+
Well people, it seems we have made it into VSUM, all AVers only
have one of our viruses it seems, the other seven or so never did
make it into any scanners or reports, so now you know what sources
to mess with ;) As per usual with our articles which we have
something to say in I'm going to write comments in square brackets
in the article.
Virus Name: Incest
[when will all you AV fucks get it right? there are four viruses
, each was published in VLAD#1 which you must have read! Each a
member of the Incest family, therefore this virus should be called
Incest.Daddy! the other three being Incest.Mummy, Incest.Brother
and Incest.Sister.]
Aliases:
[how true, no aliases]
V Status: New
Discovered: September, 1994
Symptoms: .COM & .EXE growth; DOS CHKDSK file allocation errors;
decrease in total system & available free memory;
file time changes
Origin: Queensland, Australia
[ah well, now you know where the magazine was first released ;) ]
Eff Length: 1,117 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method:
[well it is detected by F-Prot and TBAV, but patti is too cool for
these heuristic scanners]
Removal Instructions: Delete infected files
[haha how true, I know that tbclean won't remove it, not sure about
f-prot though, i doubt it]
General Comments:
The Incest virus was submitted in September, 1994, after its isolation
in Australia. Incest is a memory resident stealth-type virus which
infects .COM and .EXE programs, including COMMAND.COM.
[what's this isolation shit? are these people thinking the virus
didn't get anywhere past Queensland? hmm interesting! :) ]
When the first Incest infected program is executed, this virus will
install itself memory resident at the top of system memory but below
the 640K DOS boundary, not moving interrupt 12's return. Total system
and available free memory will have decreased by 2,400 bytes, and
interrupt 21 will be hooked by the virus is memory.
Once the Incest virus is memory resident, it will infect .COM and .EXE
programs, including COMMAND.COM, when they are executed, opened, or
copied. Infected programs will have a file length increase of 1,117
bytes, though the file length increase will be hidden when the virus
is memory resident. The virus will be located at the end of the file.
The file's date in the DOS disk directory listing will not be altered,
however, the time field will have been altered. The following text
strings are encrypted within the viral code:
[if I remember correctly Incest.Daddy changes the seconds on files
to 62 to check for infection (i might be wrong since I didn't write
it hehe)]
"[Incest Daddy] by VLAD - Brisbane, OZ"
"ANTI-VIR.DAT MSAV.CHK CHKLIST.CPS CHKLIST.MS"
[well we had to say it was from somewhere didn't we,
and naturally Brisbane came to mind]
This virus interfers with the Microsoft Anti-Virus and Central
Point Anti-Virus programs, deleting the above indicated files which
the programs require in order to be able to detect viral infections.
[I believe that's spelt "interferes" patti, but hey I'll let it go,
yeah you're right it messes with those, and tbscan but you wouldn't
mention that would you ;)]
All in all the article is pretty much correct, although there are
two versions of the Incest.Daddy virus (as noted by F-Prot). It's
obvious she hasn't read vlad#1 or I'm sure she would've mentioned
about the reason *why* it's called the Incest family.
Ah well, VSUM is in general full of shit.. but this is ok. It just
fucks me off that every single piece of AV bullshit has named our
virus (they all only have Incest.Daddy!!) wrong, they obviously don't
know how to read a magazine, any of them could get their hands on
it if they really wanted to.
When it comes down to it, we're lucky these people are doing their
job badly. It gives us a better chance of further infection, and
a virus with more names might get more attention :) hehe I dunno,
a pretty rooted theory but hey.. this is a magazine, I have to
crap on about something :) heheheh
Metabolis/VLAD
- VLAD #3 INDEX -