75 lines
3.3 KiB
Plaintext
75 lines
3.3 KiB
Plaintext
|
|
|||
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
<20> <20> <20> <20> <20> <20><><EFBFBD> <20><>
|
|||
|
<20> <20> <20> <20> <20> <20> <20><>
|
|||
|
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20> <20> <20>
|
|||
|
<20> <20> <20> <20> <20> <20>
|
|||
|
<20> <20> <20> <20> <20> <20>
|
|||
|
<20> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
<20> <20><><EFBFBD> <20> <20> <20> <20> <20> <20> <20><> <20> <20><> <20> <20>
|
|||
|
<20> <20> <20> <20> <20> <20><><EFBFBD><EFBFBD> <20> <20> <20><> <20> <20> <20> <20> <20><><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
<20> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20> <20> <20> <20> <20>
|
|||
|
<20> <20> <20> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
|
|||
|
|
|||
|
Distributed By Amateur Virus Creation & Research Group (AVCR)
|
|||
|
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
|
|||
|
Name Of Virus: OOHLALA2
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
Alias: None
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
Type Of Code: Encrypte EXE & COM infector, Non-Mem-resident
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
VSUM Information - (NONE)
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
Antivirus Detection:
|
|||
|
(1)
|
|||
|
ThunderByte Anti Virus (TBAV) reported infected files as "Possible Virus"
|
|||
|
|
|||
|
(2)
|
|||
|
Frisk Software's F-Protect (F-PROT) reported infected files as Nothing.
|
|||
|
|
|||
|
(3)
|
|||
|
McAfee Softwares Anti Virus (SCAN.EXE) reported infected files as nothing.
|
|||
|
|
|||
|
(4)
|
|||
|
MicroSoft Anti Virus (MSAV.EXE) reported infected files as nothing.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
Execution Results:
|
|||
|
Upon execution, it displays the following-
|
|||
|
"Ohhhh La La!
|
|||
|
Mommmy, Theyre Teasing me again
|
|||
|
Shut up you little sonsuvbitches"
|
|||
|
Then plays a nice little tune.
|
|||
|
Before the tune starts, it nails 6 files total, COM & EXE... Either one.
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
Cleaning Recommendations:Delete Infected or TBAV (using Anti-Vir.dat..)
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
My Notes:
|
|||
|
This virus is a non-resident infector of EXE & COM files, except Command.com.
|
|||
|
It will not (that I found) infect files under 1K in size of either ext.
|
|||
|
EXE's show up as 1960 larger than before, but COM files didn't until I
|
|||
|
rebooted the PC... (?) Maybe My PC glitched... I Dunno...
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
Disassembly of the OOHLALA2 Virus
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
I found all EXE files to contain this string...
|
|||
|
"BF 10 01 06 1E 06 89 FE 81 EE 00 01 32 E4"
|
|||
|
|
|||
|
All COM files had....
|
|||
|
"BF ?8 ?? 06 1E 06 89 FE 81 EE 00 01 32 E4"
|
|||
|
|
|||
|
So, just add this to your scanner... No problemo....
|
|||
|
"06 1E 06 89 FE 81 EE 00 01 32 E4"
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
'Till next time, I'm The W<><57>$<24>l, and you're not.......
|