Since some 4 or 5 months it was known, that there has been released some
new kind of virus. First rumorz talked 'bout virus, that srews all the
heuristic. And, we've to say, it was pure fact, no advertising shit.
>From technical point of view, TMC is resident com'n'exe infector. The
infection occurs on execution, opening, renaming and copying of
suitable files. This 'll affect com's under 57 kB and exe's under 384
kB. The infection of file, which filename starts with 'ic', 'no', 'we',
'tb', 'av', 'sc', 'co', 'wi' and 'kr' is not possible. These strings
covers huge spectrum of anti - viruses. Selected strings covers not only
the best Slovak antivirus pragram NOD - ICE, but also other good AV
tools. So, TMC has a quit good chance to survive most important first
months in the wild.
TMC sets second in timestamp to 'magic' value 8. Virus contains texts:
TMC 1.0 by Ender from Slovakia
Welcome to the Tiny Mutation Compiler!
Dis is level 42.
Greetings to virus makers: Dark Avenger, Vyvojar, Hell Angel
Personal greetings: K. K., Dark Punisher
And you may now ask : " And what makes TMC so extraordinary ?"
Okay, let's go to the void main().
#define FALSE 0
#define TRUE 1
#define NOT_TRIVIAL 0.5
#define INFECTED_FILE_CONTAIN_BODY_OF VIRUS FALSE
/* Body of the virus cointains just some kind of compiler, which from
from excrypted source pseudocode copiles virus to the memory. Because
the compilation does't use any structure, which are heurictic sensitive,
there is no heuristic alert here :) [ Simple and clever ] The copiler is
also capable to insert garbage jump instruction in the virus copy in
memory.So again, no siple scanstring in memory here. Just one little
thingy is here not perfect. These jump 'll not have known size, so the
compiler puts here some extra NOPs. The virus is the like asm proggy
compiled umnder TASM without /m switch. */
#define ANTIHEURISTIC_CODE TRUE
/* TMC contains some kind of anti cleaning trap. So it is not easy to
remove from infected file. Well, another life insurance */
#define EXTRA_STUFF TRUE
/* TMC has in diffrerent generations different features. Just check it
#define DETECTION_AND_REMOVAL NOT_TRIVIAL
/* As far as i know, only two antivirus programs detect TMC - Dr.Web and
NOD-ICE. As extra bonus, NOD is capable to remove TMC. Some dudes from
AV side seems to be really good in their work :( */
Ender, the perspective author of this virus, has choosen his nick from
the 'Enders game' by Orson Scott Card. Strings "Welcome to the Tiny
Mutation Compiler!" and "Diz is level 42" are according the author
related to Level3 by Vyvojar.
Due some kind of agreement between our mag and Ender, we were not
allowed to publish the full sources of this excelent virus. As Ender
stated, the sources 'll be released only after all the major anti-virus
vendors 'll detect and remove the virus. "They should have their work
hard... they 're payed for it, but we are not ...". So dear friend, we
present you at least sample of this virus. But we have source prepared
for public release asap TMC 'll be removed by
TBAV,SCAN,AVP,DRWEB,S&S,ALWIL! and other from Virus Bulletin.