bash.324
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
Bash.3241
These are dangerous memory resident polymorphic parasitic viruses. They hook INT 21h and write themselves to the end of COM and EXE files that are executed or opened. The viruses also affect ARJ archives and insert an infected dropper file into them. The viruses use many anti-debugging tricks, which are buggy, and often halt the system because of that.
The viruses perform several actions directed to disable anti-viruses. First of all, while installing memory resident, they look for TBAV anti-virus driver in the memory, and disable it. They also looks for anti-virus data files, and delete them:
ANTI-VIR.DAT CRC.SVS MSAV.CHK \BOOT.MS
ANTIVIR.DAT CRC_.SVS SMARTCHK.CPS \BOOT.NTZ
ANYCHECK.VAL FILES.VVL TBUTIL.DAT \BOOT.TAV
AVP.CRC FINGERP.VVF ZZ##.IM \IV.INI
CHKLIST.CPS IM.PRM _ADINF.INI \PART.NTZ
CHKLIST.MS IVB.INI \AV.CRC VIRSORT.DAT
CHKLIST.TAV IVB.NTZ \BOOT.CPS \TBUTIL.DAT
The viruses also patch the AVP 2.x package, if it is installed. They creates the BIZATCH.AVB database in the AVP directory, and register it in the AVP.SET file. See "Anti-AVP" for more details.
From September 17th till October the viruses attampt to erase disk sectors and displays a picture, but fails because of a bug. The picture looks like follows:
all. NO! ... ... MNO! ...
..... MNO!! ...................... MNNOO! ...
..... MMNO! ......................... MNNOO!! .
.... MNOONNOO! MMMMMMMMMMPPPOII! MNNO!!!! .
... !O! NNO! MMMMMMMMMMMMMPPPOOOII!! NO! ....
...... ! MMMMMMMMMMMMMPPPPOOOOIII! ! ...
........ MMMMMMMMMMMMPPPPPOOOOOOII!! .....
........ MMMMMOOOOOOPPPPPPPPOOOOMII! ...
....... MMMMM.. OPPMMP .,OMI! ....
...... MMMM:: o.,OPMP,.o ::I!! ...
.... NNM:::.,,OOPM!P,.::::!! ....
.. MMNNNNNOOOOPMO!!IIPPO!!O! ..... ,
... MMMMMNNNNOO:!!:!!IPPPPOO! .... ***** ================-
.. MMMMMNNOOMMNNIIIPPPOO!! ...... AuRoDrEpH.....
...... MMMONNMMNNNIIIOO!.......... The Drow
....... MN MOMMMNNNIIIIIO! OO .......... Was Back !!!
......... MNO! IiiiiiiiiiiiI OOOO ...........
...... NNN.MNO! . O!!!!!!!!!O . OONO NO! ........
.... MNNNNNO! ...OOOOOOOOOOO . MMNNON!........
...... MNNNNO! .. PPPPPPPPP .. MMNON!........
...... OO! ................. ON! .......
The viruses also deletes disk files. In the root directories of all available logical drives they delete the "?????x??.*" files, where "x" is drive's letter. They also look for the \SYSTEM\IOSUBSYS\HSFLOP.PDR file in the Windows directory, and delete it.
The viruses contain the text strings:
CARO: Please label this creation Hare.Little_Brother :-) or if you
want BSHME.Buggy.7xxx - This version is for educational purpose only!
Greetx to all virus writers! Still buggy but it works...
-=[ 1996 ]=-
-=[ U$A ]=-
-=[ BSHME ]=-
Copyright @2006 bash.324