Threat Description

Bombtrack

Details

Aliases:Bombtrack, Gennops
Category:Malware
Type:Virus
Platform: W32

Summary



BombTrack, a heavily armoured polymorphic virus, was distributed in BBS systems in the spring of 1994. It was hidden within the player for an erotic animation. Bombtrack is a memory-resident COM and EXE infector, about 2400 bytes long. It allocates 6 kB of DOS memory at runtime and infects executables when they are run. The virus achieves polymorphism by using variable decryptors buried in long runs of non-significant instructions. The virus uses a lot of anti-debugging tricks to prevent disassembly.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Before infection, the virus erases the MSAV and CPAV checksum files. It also carefully avoids infecting popular anti-virus scanners.

The virus contains several bugs. Some variants are not able to reproduce reliably and are, from a virocentric point of view, an evolutionary dead end. The activation routine is supposed to create a directory structure called "\BOMBTRA.CK\NEVER"ne". However, this operation is rather poorly implemented and almost always causes severe file system corruption.

The virus will sometimes infect an executable and fail to modify its entry point. Such files, at first sight similar to successfully infected ones, are not functional since the viral code never gets the chance to be executed. Finally, the virus doesn't take great care of the target's memory requirements: an infected COM file can grow to more than 64 KB and an infected EXE can grow larger than the memory it allocates. Such files are, unable to execute properly.

Bombtrack was the first Belgian polymorphic virus.


Variant:Bombtrack.B

Slightly modified variant.





Technical Details: Pierre Vandevenne, DataRescue sprl, Belgium


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More