Lubber Net


Seven Dust

Members of this family hit MDEF and INIT resources. Infected applications have MDEF resource, the System has INIT. There are seven known variants:

Variant .a

Only hits MDEF 666 and INIT 666 resources. Drops extension '666'. Size is 850 bytes.

Variant .b

Only hits MDEF 666 and INIT 666 resources. Drops extension '666'. Size is 1342 bytes.

Variant .c

Hits MDEF and INIT resources with random IDs (from 1 to 255). Drops extension '666'. Carries 'BACH' string for self-recognition. Size is 1576 bytes.

Variant .d

Hits MDEF and INIT resources with random IDs (from 1 to 255). Drops extension '666'. Carries 'BACH' string for self-recognition. Size is 2036 bytes.

Variant .e

Also known as MDEF-E virus. Hits MDEF and INIT resources with random IDs. Carries "JSBACH" string (apparently an abbreviation for Johann Sebastian Bach). When this variant infects an MBDF resource it saves its original contents in the encrypted form along with the encrypted virus body.

Variants .f-.g

Hit MDEF and INIT resources with random IDs and carry "JS" string for self-recognition. When this variant infects some MBDF resource it saves its original contents in the encrypted form along with the encrypted virus body. Drop extension '\001Graphics Accelerator', 'ExtensionConflicts' or introduce an INIT in the System file. Dropped extension file carries the virus body in the INIT 33 resource. These variants will modify 'WIND' resource to complicate removal (so-called symbiotic property). The 'MENU' resource is overwritten with the character 'f' (hexadecimal 66).

Note: Even though this virus strain used '666' label there is no reason to believe that it has any relation to the Spanish 29A virus writing group (hexadecimal for 666 is 0x29A).

Page last modified on January 01, 2007, at 02:38 AM
Last edited by snuckles.
Originally posted by .