Name: IDEA.612 Category: Viruses Description: Details IDEA.6126 It is not a dangerous memory resident polymorphic parasitic virus. The virus code is encrypted three times - first loop is polymorphic, other loops are not polymorphic, but they use IDEA encryption algorithm. As a result virus decryption is a quite complex task, and when an infected file is executed even Pentium computers "sleep" for a second or two while the virus decrypts itself. The virus then hooks INT 21h and stays memory resident. When COM and EXE files are executed, the virus writes itself to the end of the file. The virus does not infect COMMAND.COM and several anti-virus programs (TBAV, AVP, NAV, FINDVIRU, F-PROT, all) according to the string (two letters per name): TBVIAVNAVSFIF-FVIVDRSCGUCO After infecting the virus opens the ANTI-VIR.DAT file (if exists) and patches just infected file name in there - replaces the first character in file name with 01h (Smile ASCII). When ZIP files are accessed by FindFirst/Next DOS commands, the virus adds an infected README.COM file to the ZIP archive. While infecting the virus drops a file on disk, infects it, appends infected file to the archive and then modifies archive structure. As a host file the virus uses one of three simple video-effect programs that keeps in its code. When executed these programs manifest themselves by a video effect and display the messages: Downloaded From http://www.narkotic.com/~vico Da BeSt BoaRd In SPaiN: El GriLLo Loco (34-1-352 24 45) * ROADKILL BBS * Call now 028-6621590 While infecting ZIP archives the virus creates three temporary files: DIR.SKA, END.SKA, ADD.SKA. At 15:30 the virus creates the C:VIRUS.COM file, writes the standard EICAR anti-virus test file to there, manifests itself by a video effect and displays the rotated message: Warning! strong crypto inside The virus also contains the text strings: IDEA virus (c) Spanska 98 Thx to Rajaat (poly), F Mirza (IDEA), Wild Worker (zip), Solar D (road)