Uknown Virus Analysis

I have recently discovered a not-yet-released virus. It isn’t spyware,
malware, greyware, trojans, hijackers, keyloggers, bugs, backdoors,
rootkits, exploits, pranks, it is a virus. It isn’t in your virus
database, of course, nor is it in any other AntiVirus database, for
that matter, because it hasn’t been released yet. I expect it will be
released in about 3 to 4 months, though I cannot be certain.
Here is my Analysis, [EDIT: I have removed the virus code for ovious security reasons] then the actual virus code, which I have been
fortunate enough to come across, because this is a very dangerous
virus:

Statistics:
Name: Rendezvous

Author: Lerxadane

Version: 1.0

Suggested AV Name: BAT.Rendezvous.10

File Extension: .bat or .cmd

Installation: Installs through registry as “adminit”

Regisrty Startup: HKEY_Local_Machine_Run as “explorer”

Additional Startup: Autoexec.bat, Winstart.ini, Startup Folder, ActiveX Key, System.ini, and win.ini

Shell Spawning: .exe files, .bat files, .pif files, .com files, .cmd files, and .scr files

Drive Infection: Infects ALL Drives, including remote drives

File Infection: .bat, .vbs, .htm, .cmd, .vbe, .html, .lnk, .js, .asp, .pif, .jse, .cgi, .reg, and .htx files

Infection Type: Prepends the virus body to file

Macro Infection: MS Word, and MS Excel on opening, sets protection to low, and hides the macro menu

Additional Infection: Infects autorun.inf, copies to virtual drive, copies to undeletable folder, infects desktop.ini, and infects Drive A:

System Damages: causes system crash, disables the keyboard, and the mouse, causes cursor to act cazy on-screen, causes screen itself to act crazy, causes the floppy drive to act crazy, and causes an infinite loop crash

File Damages: Overwrites ALL Files with the virus body

Other Damages: creates lots of files and folders in the %windir% directory

Spreading via email: searches for addresses in files, outlook databases, adds itself to outgoing emails, and adds itself to incoming emails

Other Spreading: Morpheus, Kazaa, Kazaa Lite, KMD, eDonkey, eMule, Overnet, Applejuice, Bear Share, LimeWire, ICQ Shared, Grokster, mIRC, pIRC, and vIRC

Drive Sharing: Uses hidden drive sharing

Anti-Detection: Mutamorphic, Polymorphic, Execution Hiding, has fake bytes, uses execution control, and kills all known AV’s

Encryption: uses Random Encryption, Reverse Encryption, and it Mutates the password

[EDIT: Melih, if you want the full code, in it’s original form, then either send your email address to me personally, or post it. For obvious security reasons, 1) I am not going to post it here, and 2) If you want it emailed, then I’ll send it in a .txt file.] You know what, this is stupid, writing all this code. Melih, if you want the full code, just post your email address, and i’ll send it to you. This code goes on for ever!

I will be announcing many not-yet-released viruses, as I have many very accurate and informative ways of finding out!

hi wackysystems

thanks for that
pls pm it to me.
thanks
Melih

There I’ve PM’ed you. Hee, hee, hee, I said PM’ed! That sounds funny. OK, sorry. It sometimes (very rarely), takes me a couple hours to respond, because I am very Pro-Active against computer threats. I have my own office of 7 computers, so that I can discover new computer threats, and help prevent them.

wow… I wish we had many people like you wackysystems. This would make the internet a much safer place for the rest of the internet population.

Please keep it coming
thanks
Melih

Greetings,

Good you don’t post the code on the forums, it might be abused by some people.
Anyways, keep up the good work with finding new viruses!

Ragwing

I’ll try and help to give new info on coming viruses. By the way, I specialize in executable internet threats, like viruses, trojans, worms, things like that.Oh, yes, and by the way, I’ve think I’ve found a new trojan, but I’m not sure. I’ll post the specs in an hour or two. You see, I can analyze them pretty quickly. You see, I’v designed, with a bit of help, mind you, a program in C++ that actually helps analyze the code and says what it does. Now of course, many people can analyze batch files, that’s pretty easy, but other languages take longer. I used to work with Kaspersky AntiVirus, but I decided I wanted to help a free company. I try to catch as many viruses as possible before they’re released, but that is hard. Sometimes I catch them the day they come out, and sometimes I catch them a few days after, unfortunately.

There, Melih, I have sent you the e-mail. Ragwing, since you work for Comodo to, then I will send you the original, full code file if you wish via e-mail, which you will need to tell me via Personal Message. Of course, Melih could probably send you the code file. Notice that I keep saying code file, not virus. That is because I save all the viruses as .txt files for safety reasons, which means I send you the .txt file. For every code file I send to you, I will always tell you the original extension, so that you can rename it to the correct extension to have the truly original virus.

I said I will have the Trojan analysis in an hour or two, so here it is:

Name of Trojan: hellogoodbye
Name of Author: hellboy
Suggested AV Name: BAT.hellogoodbye.trojan
HD Damages: Formats drive C:, and Formats drive D:
Format Process: via Registry
File Damages: Overwrites every file with trojan body
Startup: via autoexec.bat, and via win.ini
Hiding Procedures:has Fake bytes, and Encrypted

Melih, would you like me to e-mail you the code file?

Actually, I don’t work for Comodo :wink:

Ragwing

Ragwing-
Even if your not working for comodo, I still trust you.

Thanks for trusting me.
But I’m only 15 so I don’t have any experience in programming, which means I don’t have any use for the code.
I don’t say you can’t trust me, but you shouldn’t just trust anyone on the Internet that you just met, people might act nice, but in fact they might be pedofils, hackers or something else.
What I’m saying is, don’t just give the code to anyone that seems nice :wink:

Ragwing

Well, I’m only 13yr. old. Anyway, you’re a moderator on a security forum! If you were a hacker, or something, that would be an oxymoron! Plus, I’ve read a lot of your posts, and you don’t seem like any hacker or virus producer or anthing. Also, I have a ton of experience in programming. You see, my dad graduated from MIT, and put me on a computer at the age of 2, seriously. I have been building computers, fixing computers and programming computers since the age of 10. I just wanted to say that because when computer experts find out that I’m only 13, they don’t trust me with computers, and think I don’t know anything. Thank you.

I’m not moderator. Regular users(like me) got stars under their name, moderators got silver medals and administrators got gold medals.

That’s exactly what I meant. I might not act like one, but I might be one.
Anyways, instead of going off-topic(as this topic is about your newly discovered viruses), PM me if you want something :slight_smile:

Ragwing

Oh, OK, I see, I never really paid attention. OK, well I only give the code to security companies like Comodo and Kaspersky. And have you noticed that I didn’t post the code? I gave it to Melih and I knew Melih was staff because Melih has a whole section, called Melih’s Corner, and only admins can have an entire section like that. Anyway, your right, this is getting off-topic.

By the way, what do you have to do to be “Comodo’s Hero”?

You’ll need 200 posts for 5 stars and ‘Comodo’s Hero’.
If you have some more questions, please PM me(or someone else) or post a new topic :wink:

Ragwing

OK, thank you.