Summary

In the summer of 1995 a new virus using advanced cluster technique for spreading was found. This polymorphic virus was named 'Byway'. The virus has been found in both Europe and USA and is known to be in the wild internationally.

Disinfection

REMOVAL NOTE: Removing the Byway virus is simple. If you rename an infected file to a non-executable extension (i.e. rename CHKDSK.EXE to CHKDSK.EEE), the stealth routines of the virus automatically remove the virus code from the file by correcting the FAT chain to properly point to the beginning of the file.

This only happens if the virus is resident in the memory, so you need to do this after booting from the infected hard drive instead of booting from a clean boot disk.

You can use this feature of the virus to remove it from a system: rename all *.COM and *.EXE to *.CCC and *.EEE. The easiest way of doing this is by giving the following commands (this works under MS-DOS 5.0 and newer):

 
 
       cd \
       ren *.com *.ccc /s
       ren *.exe *.eee /s

Repeat the commands to all hard drives on your system.

After this, reboot the system from a clean diskette, issue commands:

 
 
       a:\attrib -h c:\chklist*.*
       a:\attrib -r c:\chklist*.*
       del c:\chklist*.*

Then rename all the files back to their original extensions:

 
 
       cd \
       ren *.ccc *.com /s
       ren *.eee *.exe /s

Again, repeat for all hard drive partitions.

Your system should now be clean of the virus. Check all floppies.

If this is too complicated, you can also download a separate disinfector written by Luis Paris. It is available at ftp://ftp.europe.F-Secure.com/pub/misc/anti-vir/ [Thanks to Luis Paris for providing aditional details]

Additional Details

Byway is an extremely fast infector of COM and EXE files. It uses similar methods with spreading as the old DIR-II virus family, but it employs a novel technique. When the user executes an infected program in a clean machine, the virus creates a hidden file called CHKLISTx.MSx in the root directory (where "x" is ASCII-255, a fake space). When it infects a file it changes the directory entries and crosslinks all executable files to point to the CHKLISTx.MSx file, which in turn contains the virus code.

Microsoft Anti-Virus uses almost the same name for its checksum file, apparently the virus author wanted to make the user believe that the new file is the MSAV's file.

Byway exhibits both polymorphic and full stealth behavior. When the user runs an infected program for the first time, the virus executes instead, reserving 3216 bytes for itself. From this time on, all disk operations are rerouted to the original files, resulting in their correct execution and functioning. This way the virus hides quite successful from detection.

Byway employs an improved tunneling technique in order to bypass most antivirus programs and integrity checkers. In fact it is able to defeat most antivirus programs that use their "own file system" to scan files and in turn, it infects the home directory of all scanned executable files. This way the virus spreads very quickly through exposed machines.

The Byway.A variant contains the following encrypted texts:

 
 
        The-HndV
        by:Wai-Chan,Aug94,UCV

In Byway.B variant, the second text is a bit different:

 
 
        -By:W.Chan-

Byway activates on several dates after year 1996. The activation depends on a parity check of a "generation counter" and a date triggered event:

 
 
        (day of the month) = (((month's number)*2)+2)

For example 4th of January, 6th of February and 26th of December, so there is a trigger date every month. When activated it displays a running text:

 
 
        TRABAJEMOS TODOS POR VENEZUELA !!!

In english, this means "Let's all work for Venezuela". The text is displayed on 3:00, 6:00, 9:00, 12:00, 15:00, 18:00 and 21:00 o'clock. The virus also tries to play a tune through a sound card.

Byway is reported to be in the wild internationally, especially in Venezuela, Mexico, Bulgaria, UK and USA.