1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Butterfly

Butterfly

SIZE:302
TYPE:Non-resident COM-files

Summary

The Butterfly-virus slipped into worldwide circulation together with the 4.11 version of the popular data communications program Telemate. Telemate 4.11 was published 17.6.1993, and the virus was not discovered before the distribution of the program had begun. As Telemate is a shareware program distributed over BBS's and internet FTP sites, the result was that there are probably thousands of contaminated copies of Telemate all over the world.

Additional Details

The distribution package of Telemate v4.11, TM411- 4.ZIP, contains a LHA-packed self-extracting package named VESA.EXE. The package contains VESA drivers for different video cards, including the files 37VESA.COM and 67VESA.COM meant for the OAK video card. Both of these files are infected.

When an infected program is executed, the virus infects up to four COM files in the default directory. The size of these files must be between 121 and 64768 bytes. The virus places its code in the end of contaminated files. Although the virus is will not infect files protected with the Read-only attribute, it will infect hidden and system files. In some cases the virus damages a file while trying to infect it.

The virus performs three checks before infecting a file. First, it checks whether the file begins with the command INT 20h After this, the virus examines the fourth byte in the file. If it is 1 (ASCII 1 is a smiling face), the virus assumes it has already infected the file and refrains from reinfecting it. After checking the file itself, the virus inspects its name. If the sixth and seventh letters in the file name are 'N' and 'D', the virus concludes that the file in question is the command interpreter COMMAND.COM, and does not infect it.

It is likely that the virus checks the beginning of files for the INT 20h command in order to avoid infecting bait files created by virus researchers. As files which begin with this command will not do anything except exit to DOS, they are often used by researchers. When a virus infects such a simple file, the actual viruscode is easy to study. The creator of the virus has probably wanted to stop his virus from infecting baits in order to make the lifes of virus researches even a little bit harder. It seems, however, that during the testing of the virus it was modified to infect also files beginning with the interrupt 20h. For some reason, probably simple forgetfulness on the part of the writer, this modification was never switched off, and the virus still infects such files regardless of the test.

The virus uses the fourth byte in a file to ascertain the purity of its victim. If the file's fourth byte is not 1, the virus judges the file to be uninfected and promptly remedies the situation. Although the virus usually leaves its victim's modification date unchanged, it contains a bug which in some cases causes the date and time of infected files to show the time of infection. The bug arises when there are several COM files in the same directory, only some of which can be infected by the virus.

The virus is quite simple, and is only 302 bytes in length. The virus does not contain activation routines. The viral code contains the text 'Goddamn Butterflies', indicating that its creator either has no love for butterflies or has borrowed the text from an old Donald Duck story.

Butterfly's extensive spreading created another kind of a problem, however: with it, many virus enthusiasts acquired a personal copy of a simple, functional and easily modifiable virus. A flow of new Butterfly variants followed soon after.

VARIANT:FJM
In the middle of July, a counterfeit copy of the popular LIST program was released in USA. The latest real version of LIST at the time was v7.8, but the fake claimed the version number 8.2. The program had been infected with a slightly modified version of Butterfly - only the text the virus contains had been changed. The original virus contains the text "Goddamn Butterflies" at the end of its code. In its place, the new FJM version has an obscene comment about John Mcafee, the creator of the SCAN antivirus application.

Although both versions of Butterfly use the same code, the FJM variant may yet prove a more successful infector than the original. That is because Butterfly only infects files in the current directory. Most users install auxiliary programs such as LIST somewhere along the hard disk's path to make them easily accessible. When the infected LIST is executed from some other directory, the virus can jump the directory boundary that normally limits its spreading.

VARIANT:Crusaders
TYPE:Non-resident COM/EXE-files
Another descendant of the Butterfly virus was found in the middle of August. Yet again, the new variant had been disguised as a shareware program and put into circulation via electronic bulletin boards. This time, the virus was hidden in the packet SPORT21C.ZIP. According to the packet's description it contained a program for inspecting the functioning of the computer's serial- and parallel ports. The program INSTALL.EXE included in the packet was infected.

Some changes had been made to the original virus - the most significant difference is that the new variant is capable of infecting both COM and EXE files, whereas the original virus infects only COMs. The virus text was also changed to read "Hurray The Crusaders".

None of the Butterfly variants which have so far been discovered activates in any way.

[Analysis: Mikko Hypponen, F-Secure]