Ŀ
                                                                             
                    This Virus Came To You By Way Of...                      
                                                                             
                                              
                                             
                                                    
                                                  
                           
                                
                                                                             
                                                                             
                  Computer Research & Information Service                    
                                                                             
                                                                             
       Cris is a group of computer users that have a true interest in        
       Computer Viruses and Trojans, as well as how they work.               
                                                                             
       Members of Cris feel a need, not only to be up on the latest          
       Bombs, Trojans, Worms, and Viruses, but to safely transfer these      
       files into the hands of other dedicated researchers.                  
                                                                             
       Cris cannot be held responsible for the use or misuse of these        
       files.  Cris releases are sent out to better the knowledge of the     
       virus community, for those who would like to learn more about them    
       and how they work.                                                    
                                                                             
       Also, all Cris releases have been pre-tested and informative text     
       files are enclosed with valuable information regarding the type of    
       virus, how it works, and removal information.  If the virus you       
       downloaded is not a Cris release, you don't know what you've got.     
                                                                             
       DuWayne Bonkoski                                                      
       (Original Text Written By Michael Paris)                              
                                                                             


Ŀ
 Cris Release Date:12/18/93                                                  
 Type: Virus                                                                 


Ŀ
 VSUM Information - Quoted from Patricia M. Hoffman's Hypertext VSUM         
Ĵ
 No Information Found                                                        


Ŀ
 Scanning Results                                                            
Ĵ
                                                                             
 McAfee's ViruScan Reports         -  Detected [Flue]                        
   File had to be deleted                                                    
 F-Prot's ViruScan Reports         -  Detected [Flue]                        
   File had to be deleted                                                    
 TBAV's ViruScan Reports           -  Detected [Flue]                            
   Successfully repaired executable                                          
                                                                             


Ŀ
 Researcher's Notes                                                          
Ĵ
 The FLUE virus is a polymorphic virus which infects COM files only.  The    
 FLUE virus has a very visible way to letting you know it has infected       
 a file.  The virus will "flip" a character screen from right to left or     
 vice versa.  The screen flip does not work on monochrome monitors, however, 
 because the virus is hard-coded to read segment B800 which is where screen  
 information lies for color text modes.  Monochrome video lies in            
 the B000 segment and the virus does not have a routine to sense which       
 type of video is being used.                                                
                                                                             
 The virus hooks interrupt 24 (Critical Error Handler) which causes the      
 virus to replicate if a critical error occurs during execution.             
                                                                             
 The virus does not become memory resident as far as I can tell.             
                                                                             
 A character string can be found within the virus body which may appear      
 un-encrypted within infected files.  The string reads as follows:           
                                                                             
 Hatsjeee!! <C> 1992/1993 by TridenT / [DRkRY]Oh, BTW it's from Holland,   
 and is called the FLUEFor those who are interested......                    
                                                                             
                                                                             
 Encryption                                                                  
 ==========                                                                  
 The FLUE encrypts itself by XOR'ing the body of the virus with a            
 randomly generated word varaiable and then uses the variable's complement   
 on the next encryption cycle.                                               
                                                                             
                                                                             
 Infection                                                                   
 =========                                                                   
 The FLUE infects COM files having a length between 500 and 47987 bytes.     
 The virus does not check to see if the file has already been infected and   
 will attempt to re-infect an already infected file.                         
 The decryption routine the virus creates is very polymorphic.  The program  
 will randomly change which registers it uses to decrypt itself for each     
 infected file.                                                              
                                                                             
 The infected files grow by a varying number of bytes.  The virus            
 copies a random number of bytes from the zero page and appends them to      
 the end of the executable before infecting the file.  This is what causes   
 the random growth.                                                          
                                                                             
 Upon execution of an infected file, the virus will try to infect between    
 one and eight files plus one more for each directory it moves into.         
                                                                             
 An interesting note on how the virus appends itself to other COM files.     
 At first glance, the source codes does not show any significant file        
 write routines that are necessary to cause replication.  It took me         
 a while to figure out how the virus accomplished this.  It does this        
 by building it's own write routine as it runs in memory.  Just another      
 example of the polymorphic capabilities of this virus.                      
                                                                             
                                                                             
 Detection                                                                   
 =========                                                                   
 All scanners tested will detect this virus.                                 
                                                                             
 This virus can be detected using the following scan strings (for those      
 who are using older/other scan utilities):                                  
                                                                             
 89?18B?1B94002?331?1F7?349                 - TBAV                           
 89??8B??B94002??????31??F7??????49         - F-PROT                         
 89?8B?B94002???31?F7???49                  - SCAN                           
                                                                             
                                                                             
 Summary                                                                     
 =======                                                                     
 I have to admit, the virus was a challenge for me due to it's polymorphic   
 capabilities. I had to step through it a couple of times to get a feel      
 for what was going on.  I'm not sure why all the polymorphism is used       
 in this particular strain since the visual cues easily let you know         
 something unusual is happening.  Otherwise, this virus is a pretty fast     
 replicator that wants to be noticed in its own little way.                  
                                                                             


