BombTrack, a heavily armoured polymorphic virus, was distributed
in BBS systems in the spring of 1994. It was hidden within the player
for an erotic animation. Bombtrack is a memory-resident COM and EXE
infector, about 2400 bytes long. It allocates 6 kB of DOS memory at
runtime and infects executables when they are run. The virus achieves
polymorphism by using variable decryptors buried in long runs of
non-significant instructions. The virus uses a lot of anti-debugging
tricks to prevent disassembly.
Before infection, the virus erases the MSAV and CPAV checksum
files. It also carefully avoids infecting popular anti-virus
scanners.
The virus contains several bugs. Some variants are not able
to reproduce reliably and are, from a virocentric point of
view, an evolutionary dead end. The activation routine is
supposed to create a directory structure called
"\BOMBTRA.CK\NEVER"ne". However, this operation is rather
poorly implemented and almost always causes severe file
system corruption.
The virus will sometimes infect an executable and fail to
modify its entry point. Such files, at first sight similar
to successfully infected ones, are not functional since the
viral code never gets the chance to be executed. Finally,
the virus doesn't take great care of the target's memory
requirements: an infected COM file can grow to more than 64
KB and an infected EXE can grow larger than the memory it
allocates. Such files are, unable to execute properly.
Bombtrack was the first Belgian polymorphic virus.
