69 lines
3.8 KiB
Plaintext
69 lines
3.8 KiB
Plaintext
Virus Name: PUREST
|
|
Aliases:
|
|
V Status: New, Research Viron
|
|
Discovery: July, 1994
|
|
Symptoms: None - Pure Stealth - Keyboard Key Lock is Disabled
|
|
Origin: USA
|
|
Eff Length: 439 Bytes
|
|
Type Code: OReE - Extended HMA Memory Resident Overwriting .EXE Infector
|
|
Detection Method: None
|
|
Removal Instructions: See Below
|
|
|
|
General Comments:
|
|
|
|
The PUREST virus is a HMA memory resident overwriting direct action
|
|
infector. The virus is a pure 100% stealth virus with no detectable
|
|
symptoms. No file length increase; overwritten .EXE files execute
|
|
properly; no interrupts are directly hooked; no change in file date or
|
|
time; no change in available memory; INT 12 is not moved; no cross
|
|
linked files from CHKDSK; when resident the virus cleans programs on
|
|
the fly; works with all 80?86 processors; VSAFE.COM does not detect
|
|
any changes; Thunder Byte's (v6.21) Heuristic virus detection does not
|
|
detect the virus; Windows 3.1's built in warning about a possible virus
|
|
does not detect PUREST.
|
|
|
|
The PUREST is a variation of the PUREPLUS virus. PUREST was completely
|
|
rewritten to avoid being able to use the same scan string as PUREPLUS.
|
|
PUREPLUS was detected with Thunder Byte's (v6.21) Heuristic scanning.
|
|
PUREST is not. PUREST will disable the keyboard key switch. PUREST
|
|
now works with Novell DOS 7.
|
|
|
|
The PUREST virus will only load if DOS=HIGH in the CONFIG.SYS file.
|
|
The first time an infected .EXE file is executed, the virus goes
|
|
memory resident in the HMA (High Memory Area). The hooking of INT 13
|
|
is accomplished using a tunnelling technique, so memory mapping
|
|
utilities will not map it to the virus in memory. It then reloads the
|
|
infected .EXE file, cleans it on the fly, then executes it. After the
|
|
program has been executed, PUREST will attempt to infect 15 .EXE
|
|
files in the current directory.
|
|
|
|
If the PUREST virus is unable to install in the HMA or clean the
|
|
infected .EXE on the fly, the virus will reopen the infected .EXE file
|
|
for read-only; modify the system file table for write; remove itself,
|
|
and then write the cleaned code back to the .EXE file. It then
|
|
reloads the clean .EXE file and executes it. The virus can not clean
|
|
itself on the fly if the disk is compressed with DBLSPACE or STACKER,
|
|
so it will clean the infected .EXE file and write it back. It will
|
|
also clean itself on an 8086 or 8088 processor.
|
|
|
|
It will infect an .EXE if it is executed, opened for any reason or
|
|
even copied. When an uninfected .EXE is copied, both the source and
|
|
destination .EXE file are infected.
|
|
|
|
The PUREST virus overwrites the .EXE header if it meets certain
|
|
criteria. The .EXE file must be less than 62K. The file does not
|
|
have an extended .EXE header. The file is not SETVER.EXE. The .EXE
|
|
header must be all zeros from offset 73 to offset 512; this is where
|
|
the PUREST virus writes it code. The PUREST virus then changes
|
|
the .EXE header to a .COM file. Files that are READONLY can also be
|
|
infected.
|
|
|
|
To remove the virus from your system, change DOS=HIGH to DOS=LOW in
|
|
your CONFIG.SYS file. Reboot the system. Then run each .EXE file
|
|
less than 62k. The virus will remove itself from each .EXE program
|
|
when it is executed. Or, leave DOS=HIGH in you CONFIG.SYS; execute
|
|
an infected .EXE file, then use a tape backup unit to copy all your
|
|
files. The files on the tape have had the virus removed from them.
|
|
Change DOS=HIGH to DOS=LOW in your CONFIG.SYS file. Reboot the
|
|
system. Restore from tape all the files back to your system.
|