Online VSUM - TPE Virus

TPE Virus

Virus Name: TPE Aliases: Girafe V Status: Rare Discovery: December, 1992 Symptoms: .COM & .EXE file growth; decrease in total system & available free memory; graphic & message Origin: The Netherlands Eff Length: Generally Over 3,000 Bytes Type Code: PRhA - Parasitic Resident .COM & .EXE Infector Detection Method: AVTK, F-Prot, ViruScan, Sweep, ChAV, IBMAV, NAV, NAVDX, VAlert, PCScan, Sweep/N, AVTK/N, IBMAV/N, NShld, Innoc, NAV/N, LProt Removal Instructions: Delete infected files General Comments: The TPE, or Trident Polymorphic Engine, was submitted in December, 1992. It is from The Netherlands. TPE is not actually a virus itself, but rather a polymorphic encryption engine which is used as part of the viruses indicated in this entry. The encryption produced by the encryption engine is extremely complex and in some respects similar to the DAME encryption engine. Viruses encrypted with this engine can only be identified by the presence of the encryption engine itself. At the time of its submission, one virus, Girafe, exists which uses TPE for its encryption. Girafe uses version 1.1 of the Trident Polymorphic Engine. Another version, 1.2, has been submitted, but not with a virus which encorporated it. The entry below is for the Girafe virus, and future viruses using this encryption engine will be listed below as they are submitted and researched. The first time a program infected with the Girafe virus is executed, the Girafe virus will install itself memory resident at the top of system memory but blow the 640K DOS boundary, hooking interrupt 21. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 8,960 bytes. Interrupt 12's return will not have been moved. Once the Girafe virus is memory resident, it will infect .COM and .EXE programs, other than COMMAND.COM, when they are executed. Infected programs will have a file length increase of 3,039 - 3,117 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the viral code in Girafe infected programs: "COSCCLVSNEHTTBVIFIGIRAFEMTBRIM" "[ MK / Trident ]3 RV" "Amsterdam = COFFEESHOP!" The Girafe virus activates on Thursdays, at which time it will display a graphic cannabis (marijuana) leaf and the message "legalize cannabis". Other virus(es) which use the TPE engine are: Beethoven: The Beethoven virus was submitted in March, 1994. It is a memory resident infector of .COM and .EXE programs. Its size at the top of system memory but below the 640K DOS boundary is 2,048 bytes, hooking interrupts 1C and 21. Once memory resident, it infects .COM and .EXE programs when they are executed or openned, as well as COMMAND.COM when the first infected program is executed. Infected programs will have a file length increase of approximately 1,718 - 1,745 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text string is encrypted within the Beethoven viral code in all infected programs: "Beethoven is here.... And now, enjoy the music..." The following text string is visible within the viral code in all infected programs: "EMS Version Page Frame Mappable Pages" Beethoven may play music on the system speaker. Origin: Unknown March, 1994. Bosnia: The Bosnia virus was submitted in September, 1993. It is a memory resident infector of .COM and .EXE programs. Its size at the top of system memory but below the 640K DOS boundary is 9,216 bytes, hooking interrupt 21. Once memory resident, it infects .COM and .EXE programs, but not COMMAND.COM, when they are executed. Infected programs will have a file length increase of approximately 3,146 - 3,245 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the Bosnia viral code in all infected programs: "HELP BOSNIA, BEFORE IT'S TOO LATE!" "[ MK / TridenT ]" "[TPE 1.4]" Bosnia doesn't appear to do anything besides replicate. Origin: Unknown September, 1993. Civil War IV v1.1: A later variant of the Civil War virus, Civil War IV v1.1 is a non-resident, direct action infector of .COM programs, including COMMAND.COM. It infects one .COM program in the current directory each time an infected program is executed. Infected programs will have a file length increase of 2,018 - 2,127 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the Civil War IV v1.1 viral code in all infected programs: "Civil War IV v1.1, (c) Jan '93 *.com" "For all i've seen has changed my mind But still the wars go on as the years go by With no love of God or human rights Cause all these dreams are swept aside By bloody hands of the hypnotized Who carry the cross of homicide And history bears the scars of our Civil Wars." "[ DH / TridenT ] [ MK / TridenT ]" "[TPE 1.3]" Origin: The Netherlands March, 1993. Civil War V v1.0: A later variant of the Civil War IV v1.1 virus, Civil War V v1.0 is a memory resident infector of .COM programs, including COMMAND.COM. This virus becomes memory resident at the top of system memory, but below the 640K DOS boundary, when the first infected program is executed, hooking interrupt 21. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 8,192 bytes. Once resident, it infects .COM programs when they are executed. Infected programs will have a file length increase of 2,068 - 2,161 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the Civil War V v1.0 viral code in all infected programs: "Civil War IV v1.0, (c) Jan '92" "DH[ DH / TridenT ][ MK / TridenT ]" "[TPE 1.3" Origin: The Netherlands March, 1993. Coffeeshop 4: Received in June, 1993, Coffeeshop 4 is a memory resident infector of .COM programs which uses the TPE engine for its encryption. It is based on the Coffeeshop viruses which were encrypted with the Dark Avenger Mutating Engine. It becomes memory resident at the top of system memory but below the 640K DOS boundary when the first infected program is executed. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 8,960 bytes, and interrupt 21 will be hooked. Once resident, it infects .COM and .EXE programs, other than COMMAND.COM, when when they are executed, adding 3,043 - 3,139 bytes to their length. The virus is located at the end of infected files. The following text string is found within the virus, though it is not visible in infected programs: "Amsterdam = COFFEESHOP! =" Origin: Amsterdam, The Netherlands June, 1993.