RDA.Fighter Family
   
   
     _________________________________________________________________
   
   These are dangerous memory resident polymorphic parasitic viruses,
   "RDA.Fighter.7408" is multipartite one. They trace and hook INT 21h,
   and write themselves at the end of COM- and EXE-files that are
   executed, opened or renamed. They encrypt the randomly selected part
   of the host files also.
   
   While execution of an infected file "RDA.Fighter.7408" infects the MBR
   of the hard drive. On loading from an infected disk it hooks INT 8,
   and when DOS is loaded it hooks INT 21h. This virus uses a very
   polymorphic engine, which allows it to generate the sequence of
   decryption loops (up to 16 ones) - the first decryption loop decrypts
   the virus body and the code of other loops, and passes the control to
   the second loop - and so on. So the body of the virus is encrypted
   several times according to the number of decryption loops.
   
   These viruses use an error correction algorithm to prevent debugging
   and correction of the virus body. Under tracing of the virus code
   during virus installation procedure the viruses erase disk sectors.
   
   The viruses contain the internal text strings:

 "RDA.Fighter.5871":  RandomDecodingAlgoritm 1.0
                      "Stealth Fighter PART I" devoted MSU!

 "RDA.Fighter.5969":  RandomDecodingAlgoritm 1.1
                      "Stealth Fighter PART I (1.1) for ALL."

 "RDA.Fighter.7408":  "RandomDecodingAlgoritm 2.0"
                      "PhantomPolymorphicMultiLayerEngine 1.2"
                      "Stealth Fighter 2.0 : New Aggression."

   "RDA.Fighter.7408" displays the last string.
   
   After installation the viruses restore the code of the host program by
   using the data ("host data") that has been saved on infection. While
   restoring of the host program they decrypt the part of the host code
   that has been encrypted on infection, restore the header of the COM
   file and pass the control to the host program. The most interesting
   feature of these viruses is the fact that after decryption of the
   virus body the host data is still not decrypted because it is
   encrypted twice on infection. The algorithm of such additional
   encryption is selected randomly - the virus selects a random number of
   instructions (up to 16 ones) from 16 variants of encryption commands
   (XOR, SUB, ADD, ROL, ROR, NEG, e.t.c.). There may be 65535 (FFFFh)
   variants of such encryptor. On infection the virus encrypts the host
   data by using that method, but does not save the corresponding
   decryption routine to restore the host data.
   
   To decrypt the host data the virus generates the decryption routine by
   random selecting from the same 16 encryption commands, and tries to
   decrypt the host data. If the host data is not decrypted (the virus
   calculates and checks the CRC sum) the virus generates the next
   decryptor, decrypts the host data, calculates and compares CRC and so
   on up to the moment when the host data appears in original form. This
   may take some time even on fast computers.
   
   
     _________________________________________________________________
   
   &copy; Copyright 1995 Eugene V. Kaspersky
