EkoTerror Virus


 Virus Name:  EkoTerror 
 Aliases:    
 V Status:    Rare 
 Discovered:  December, 1992 
 Symptoms:    .COM file growth; master boot sector altered; decrease in 
              total system & available free memory; 
              file date/time seconds = 62 
 Origin:      Unknown 
 Eff Length:  2,000 Bytes 
 Type Code:   PRtCKX - Parasitic Resident .COM & Master Boot Sector 
              Infector 
 Detection Method:  AVTK, F-Prot, Sweep, ViruScan, NAV, ChAV, 
                    IBMAV, NAVDX, VAlert, PCScan, 
                    Sweep/N, NShld, AVTK/N, LProt, NAV/N, IBMAV/N, Innoc 
 Removal Instructions:  MDisk/P + Delete infected files 
 
 General Comments: 
       The EkoTerror virus was received in December, 1992.  Its origin or 
       point of isolation is unknown.  EkoTerror is a multi-partite stealth 
       virus which infects the hard disk master boot sector (partition 
       table) and .COM programs, including COMMAND.COM. 
 
       When the first EkoTerror infected program is executed, the EkoTerror 
       virus will infect the system hard disk's master boot sector.  A copy 
       of the original master boot sector will be stored at Side 0, 
       Cylinder 0, Sector 5.  The EkoTerror virus will then overwrite the 
       original master boot sector location (Side 0, Cylinder 0, Sector 1) 
       and the following three sectors.  EkoTerror will not become memory 
       resident at this time. 
 
       The next time the user boots the system from the system hard disk, 
       the EkoTerror virus will become memory resident at the top of system 
       memory but below the 640K DOS boundary, moving interrupt 12's return. 
       Total system and available free memory, as indicated by the 
       DOS CHKDSK program, will have decreased by 2,048 bytes.  Interrupt 21 
       will be hooked by the EkoTerror virus. 
 
       Once the EkoTerror virus is memory resident, it will infect the 
       target .COM file when .COM programs are copied.  It does not infect 
       programs on execution or open.  Infected programs wil have a file 
       length increase of 2,000 bytes, though the file length increase will 
       be hidden when the virus is memory resident.  The virus is located at 
       the beginning of the file.  The seconds field in the file date/time 
       in the DOS disk directory listing will be set to "62".  The file time 
       may not appear when the directory is listed with EkoTerror in memory. 
       No text strings are visible within the viral code. 
 
       The EkoTerror virus is a full stealth virus, disinfecting programs 
       when they are loaded into memory.  As a result, checksumming programs 
       and anti-viral programs which are unaware of the virus will not 
       detect its presence when it is memory resident. 
 
       It is unknown what EkoTerror does besides replicate.

Show viruses from discovered during that infect .

Main Page