Since some 4 or 5 months it was known, that there has been released some new kind of virus. First rumorz talked 'bout virus, that srews all the heuristic. And, we've to say, it was pure fact, no advertising shit.


    >From technical point of view, TMC is resident com'n'exe infector. The infection occurs on execution, opening, renaming and copying of suitable files. This 'll affect com's under 57 kB and exe's under 384 kB. The infection of file, which filename starts with 'ic', 'no', 'we', 'tb', 'av', 'sc', 'co', 'wi' and 'kr' is not possible. These strings covers huge spectrum of anti - viruses. Selected strings covers not only the best Slovak antivirus pragram NOD - ICE, but also other good AV tools. So, TMC has a quit good chance to survive most important first months in the wild. TMC sets second in timestamp to 'magic' value 8. Virus contains texts:

        TMC 1.0 by Ender from Slovakia
        Welcome to the Tiny Mutation Compiler!
        Dis is level 42.
        Greetings to virus makers: Dark Avenger, Vyvojar, Hell Angel
        Personal greetings: K. K., Dark Punisher



    And you may now ask : " And what makes TMC so extraordinary ?" Okay, let's go to the void main().

    #define FALSE 0
    #define TRUE 1
    #define NOT_TRIVIAL 0.5
    #define INFECTED_FILE_CONTAIN_BODY_OF VIRUS FALSE


    /* Body of the virus cointains just some kind of compiler, which from from excrypted source pseudocode copiles virus to the memory. Because the compilation does't use any structure, which are heurictic sensitive, there is no heuristic alert here :) [ Simple and clever ] The copiler is also capable to insert garbage jump instruction in the virus copy in memory.So again, no siple scanstring in memory here. Just one little thingy is here not perfect. These jump 'll not have known size, so the compiler puts here some extra NOPs. The virus is the like asm proggy compiled umnder TASM without /m switch. */

    #define ANTIHEURISTIC_CODE TRUE

    /* TMC contains some kind of anti cleaning trap. So it is not easy to remove from infected file. Well, another life insurance */

    #define EXTRA_STUFF TRUE

    /* TMC has in diffrerent generations different features. Just check it out */

    #define DETECTION_AND_REMOVAL NOT_TRIVIAL

    /* As far as i know, only two antivirus programs detect TMC - Dr.Web and NOD-ICE. As extra bonus, NOD is capable to remove TMC. Some dudes from AV side seems to be really good in their work :( */


    Ender, the perspective author of this virus, has choosen his nick from the 'Enders game' by Orson Scott Card. Strings "Welcome to the Tiny Mutation Compiler!" and "Diz is level 42" are according the author related to Level3 by Vyvojar.


    Due some kind of agreement between our mag and Ender, we were not allowed to publish the full sources of this excelent virus. As Ender stated, the sources 'll be released only after all the major anti-virus vendors 'll detect and remove the virus. "They should have their work hard... they 're payed for it, but we are not ...". So dear friend, we present you at least sample of this virus. But we have source prepared for public release asap TMC 'll be removed by TBAV,SCAN,AVP,DRWEB,S&S,ALWIL! and other from Virus Bulletin.

    Howgh !

    Download here   



.