===== Computer Virus Catalog 1.2: "Tequila" Virus (15-July-1991) ===== Entry.................. "Tequila" Virus Alias(es).............. --- Strain................. --- Detected: when......... April 1991 where........ Steinhausen, Switzerland Classification......... Memory-resident Program AND System Infector, Stealth, complex Self-Encryption Virus Length of Virus........ EXE-Files: 2,468 Bytes System: 6 sectors (including original MBR) Memory: 3 kBytes ======================= Preconditions ================================ Operating System(s).... MS/PC-DOS Version/Release........ 2.00 and upwards Computer models........ All IBM PC compatibles. ======================= Attributes =================================== Easy identification.... A text is contained in 2nd sector AFTER last sector of first active partition. This text is also displayed if INT 21h is called with AX = FE03h. The text is: "Welcome to T.TEQUILA's latest production Contact T.TEQUILA/P.o.Box 543/6312 St'hausen/ Switzerland. Loving thoughts to L.I.N.D.A BEER and TEQUILA forever !" There will be a gap of 6 sectors between the active partition and the next one. Type of infection...... The virus infects EXE files as well as the Master Boot Record and becomes resident. Memory: when an infected EXE-file is execute virus makes itself memory resident (at TOM). EXE-FILES:virus appends 2468 bytes when infec- ting a file. The code segment and offsets in EXE header are changed to point to the virus. In some cases, the stack segment is modified so that the virus will not be over- written in memory. The growth of infected files is invisible when virus is resident in memory, due to its stealth technique. The virus modifies the file's time stamp to read 62 seconds and changes the checksum in the EXE header to be one of a finite set of values. No EXE-files are infected with "SC" or "V" in name (thus excluding most antiviruses). EXE-File encryption: virus is encrypted in file; it selects 1 of 3 possible encryption algorithms and 1 of 2 methods to implement it. Moreover, a random number of random junk code is inserted between instructions. Therefore, no scan signature is valid. The encryption routine uses itself as the key (which makes debugging rather tricky.) Master Boot Record: the virus reduces the ac- tive partition's size by 6 sectors and in- serts into this space the original MBR and the entire virus. Original MBR is patched with virus code. The virus is not encrypted in the MBR. Virus stealth method intercepts Read/Write to MBR and makes original MBR available. No Boot Sector Infection. Infection trigger...... The virus will infect the MBR ONLY when started from file. After the next system start, the virus will infect files from memory. Media affected......... Files can be infected on all media. MBR is ONLY infected on hard disk, not on floppies. Interrupts hooked...... Interrupts 21h function 4Bh (LOAD/EXEC) is used to infect files; Interrupt 21 functions 11h, 12h, 4Eh, 4Fh, and Interrupt 13h are used to mask its operation; Interrupt 21h function FE02h is the virus' memory installation check; Interrupt 21h funtion FE03h displays message. Damage................. Transient Damage: at certain time/date,virus will display a fractal at program termina- tion of any file, even if not infected. Permanent Damage: virus searches for files that have been given a validation string by McAfee's Scan and destroy such files. Damage trigger......... The fractal is displayed at program termina- tion after a certain time; but there seems to be bug in the code somewhere so that it is not executed "normally". The strings are patched any time. Particularities........ 1) Like 1260, V2P2 and V2P6 viruses, virus tries to avoid being scanned for.Generally, virus authors seem to know contemporary virus developments; techniques of older viruses (SHOE-B) and recent stealth methods are used, but encryption methods have no ancestors. 2) Virus spread rapidly in Europe when an in- fected game was downloaded to a shareware BBS. Two authors (18 and 21 years) were ex- amined soon after detection by Swiss police. Similarities........... --- ======================= Agents ======================================= Countermeasures........ --- - ditto - successful.. Solomon's Toolkit vers. 5 and Morton Swimmer's NTIteq will find and disinfect TEQUILA. Michael Weiner's inoculator ATEQUILA prevents Tequila infection. Standard Means......... --- ======================= Acknowledgements ============================= Location............... Virus Test Center, University of Hamburg, FRG Classification by...... Morton Swimmer Documentation by....... Morton Swimmer Date................... 15-July-1991 Information source..... Michael Weiner's trace of the virus Further information: Morton Swimmers evaluation ======================= End of "Tequila" Virus ========================