Virus Name: EkoTerror
V Status: Rare
Discovered: December, 1992
Symptoms: .COM file growth; master boot sector altered; decrease in
total system & available free memory;
file date/time seconds = 62
Eff Length: 2,000 Bytes
Type Code: PRtCKX - Parasitic Resident .COM & Master Boot Sector
Detection Method: AVTK, F-Prot, Sweep, ViruScan, NAV, ChAV,
IBMAV, NAVDX, VAlert, PCScan,
Sweep/N, NShld, AVTK/N, LProt, NAV/N, IBMAV/N, Innoc
Removal Instructions: MDisk/P + Delete infected files
The EkoTerror virus was received in December, 1992. Its origin or
point of isolation is unknown. EkoTerror is a multi-partite stealth
virus which infects the hard disk master boot sector (partition
table) and .COM programs, including COMMAND.COM.
When the first EkoTerror infected program is executed, the EkoTerror
virus will infect the system hard disk's master boot sector. A copy
of the original master boot sector will be stored at Side 0,
Cylinder 0, Sector 5. The EkoTerror virus will then overwrite the
original master boot sector location (Side 0, Cylinder 0, Sector 1)
and the following three sectors. EkoTerror will not become memory
resident at this time.
The next time the user boots the system from the system hard disk,
the EkoTerror virus will become memory resident at the top of system
memory but below the 640K DOS boundary, moving interrupt 12's return.
Total system and available free memory, as indicated by the
DOS CHKDSK program, will have decreased by 2,048 bytes. Interrupt 21
will be hooked by the EkoTerror virus.
Once the EkoTerror virus is memory resident, it will infect the
target .COM file when .COM programs are copied. It does not infect
programs on execution or open. Infected programs wil have a file
length increase of 2,000 bytes, though the file length increase will
be hidden when the virus is memory resident. The virus is located at
the beginning of the file. The seconds field in the file date/time
in the DOS disk directory listing will be set to "62". The file time
may not appear when the directory is listed with EkoTerror in memory.
No text strings are visible within the viral code.
The EkoTerror virus is a full stealth virus, disinfecting programs
when they are loaded into memory. As a result, checksumming programs
and anti-viral programs which are unaware of the virus will not
detect its presence when it is memory resident.
It is unknown what EkoTerror does besides replicate.