
            Analysis for the new virus variant Predator.McFly
          -----------------------------------------------------

Name      : Predator.McFly
Origin    : Unknown, found by Thomas Geiger, +49-7742-6282, Germany
Date of D.: 11-28-1995
Detection : First detected using a Dummy- File. Disassembled.
            Not detected by McAfee SCAN 2.2.7, F-PROT 2.20.
            Detected by TBAV, but not identified correctly.
Length    : 1449 Bytes
Infects   : ONLY *.COM, including COMMAND.COM
            Infects files when executed by DOS.
            Non-Overwriting Virus, attaches itsself to end of File.
            Uses normal Assembler Jump (JMP) to go to Virus-Routine.
Others    : Takes 3072 Bytes of Memory from DOS, from the end of lower
            Memory! Uses only 2912 Bytes.
            Adds 100 Years to File Date for Recognition!
            Hooks to Interrupts 13h, 16h, 1Ah, 21h!
            Time can't be changed anymore! (Bug ?)
            Stealth Capability!
            Virus CAN NOT (!) infect Systems running with 4DOS!
            (Computer crashes!)
Damage    : The Virus checks the screen for the following string:
            "etect:". When it finds this string, a File named COMMAND.DAT
            will be opened, and all Input from the Keyboard will be written
            into that File. This ends, when the Virus finds the String:
            " (J/N)"
String    : BA C8 02 B1 (Not confirmed, only Local System-Check,
                      but 100% on that one computer!)
            The following strings are NOT encrypted in the
            resident Virus (In Memory)
                "C:\COMMAND.DAT"
                "Predator virus2 (c) Sep. 95  Mc Fly"
                ".COM"
Removable : No special method found by now. Delete ALL COM-Files.

----------------------------------------------------------------------------

Additionaly analysis done by ROSE Softwareentwicklung, Ralph Roth

Virus received: 29-Dec-95

Description:    Predator is a memory resident stealth virus which infects
                .COM programs, including COMMAND.COM.  It does not infect
                very small .COM programs (below 800 bytes).

                When the first Predator infected program is executed, the
                virus will install itself memory resident at the top of
                system memory but below the 640K DOS boundary, moving
                interrupt 12's return.  Total system and available free
                memory, as indicated by the DOS CHKDSK program, will have
                decreased by 2-3 kb depending on the variant.  Interrupt 13
                and 21 will be hooked by Predator in memory.  The virus
                contains code to slowly corrupt files by randomly altering
                bytes in read sectors.

                Once the Predator virus is memory resident, it will infect
                .COM programs, including COMMAND.COM, when they are executed
                or opened for any reason.  The file's date and time in the
                DOS disk directory listing will appear to be unaltered,
                though 100 years has been added to the file date.  The virus
                is located at the end of infected files.

Virus Strain:   Predator Family (VSP+QMS founds it in memory as Predator).
                Predator is a virus written by Phalcon/Skism's member,
                Priest.  It incorporates a number of stealth features.  It
                infects only COM files.  Predator uses the "Century"
                technique of marking a virus infection; file dates are
                bumped up 100 years to designate an infection.

Encryption:     A antidebugger encryption is used, probably stolen from the
                virus WitchCode. The encryption uses the stack for
                decryption and cann't be debugged with a real mode debugger!

Detection:      Search for the following searchstring (near entry point).

                McFly:  BA C8 02 B1 ?? FA 89 E5 BC ?? ?? 58 F7 D0 D3 C8
                All:    BA ?? ?? B1 ?? FA 8? E? BC
                Or:     BA??02B1??FA8???BC????58F7D0D3C850EB01??4C4C4A75F2

Selfdetection:  Memory: mov     ah, 30h
                        mov     bx, 494dh
                        int     21h
                        .IF     AX == 494dh
                        VIRUS_ACTIV
                        .ENDIF

Cleaning:       The virus cann't be cleaned by heuristic cleaners like
                RVK or DECOM. A Cleaner should be available with VirScan Plus
                version 11.21 as well as a standalone cleaner called
                K-PREDAT.EXE from ROSE which cleans all known variants!

Known variants: Predator.1020
                Predator.1055
                Predator.1063
                Predator.1072.A
                Predator.1072.B
                Predator.1137
                Predator.1148
                Predator.1154
                Predator.1195
                Predator.1449   (aka McFly)
                Predator.2448   (Predator II)

----------------------------------------------------------------------------

This program can only handle filenames with at least 255 chars length
(including paths). If you have longer filenames (Win 95/Win-NT supports
IMHO only 255 chars) you have to map your paths.

Under Novell Netware this is a easy job, just take a look at MAP.EXE

----------------------------------------------------------------------------

(C)opyright 1987-97 (ALL RIGHTS RESERVED!)

            Ŀ
             ROSE Softwareentwicklung       
             Dipl.-Ing. (FH) Ralph Roth     
             Finkenweg 24                   
                                            
             D 78658 Zimmern o. R.          
                                            
             FAX/AB:  +49.741-32647         
            
              

    EMail:        Ralph_Roth@p2.f2101.n246.z2.fidonet.org
    Fido:         2:246/2101.2


Type Bits/KeyID    Date       User ID
pub   512/CC3742A5 1995/02/08 Dipl.-Ing. (FH) Ralph Roth, Fido: 2:246/2101.2

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i

mQBNAi847YIAAAECANEe8vGPyKnR0bVoMO9vEu0hD+pMItDzLSvxqWF8W8YWzZ3U
AdhzfNDKL9uEo6BY/jHAF3m8vi5T//pgOsw3QqUABRG0HVJhbHBoIFJvdGggPHJh
ckBmaC1hbGJzaWcuZGU+iQBVAwUQMvEC1v/6YDrMN0KlAQGq1AH9GOZnCI5VSJK6
EJGPK8UwYnzIhN3YGg1uBBCzsrMnPucB8J8GnaYxfA/r9bBsjfUYPkhI9s0XumAt
ScbHr68TxrQuRGlwbC4tSW5nLiAoRkgpIFJhbHBoIFJvdGgsIEZpZG86IDI6MjQ2
LzIxMDEuMokAVQMFEDL45u+ZiMHovEmyvQEBZScB/iWIEez/0zVa4e0lYQjgy82i
TBemfNnm3ABzr9e9iqbO5Vg0Ne2FxquawIo6Nl4wvzD1oyuGl6PDo592M5+41CiJ
AFUDBRAyxov///pgOsw3QqUBAbEhAf9cIvlfV0oTQ7tZ58V/xlVfY7YoCdHpjbif
bBw8sdUZLhpueAEZKEUOO2BVMFnP4toA8CgDS27gSYowQRrk/3DD
=sAec
-----END PGP PUBLIC KEY BLOCK-----

