The Crepate virus was found in Italy in August 1993. It has some quite advanced methods, such as variable encryption, multipartite infection and semi-stealth capabilities. Crepate infects hard disk master boot records, floppy DOS boot records and COM, EXE and Overlay files.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
The virus has several phases of execution. When an infected file is executed on an uninfected system, it will install it's own modified boot sector on the primary hard disk. The original boot sector is stored along with the virus code which all in all occupies 7 sectors. The virus makes no attempt to mark these sectors as bad; the contents of the selected sectors are simply overwritten. After this stage has been completed, the virus will check the date by reading the Real Time Clock. (INT 1Ah function 4) If the day is the 22nd, the virus will completely format the primary hard disk.
The second phase of execution begins when the computer is rebooted. The boot sector code that the virus installed in the first phase will then load the main body of virus code into memory. The main virus code takes control of INT 1Ch installing a routine which checks if COMMAND.COM has been loaded by the system boot code. After installing this routine, the virus executes the original boot code and the boot process continues as normal. Since INT 1Ch is called 18.2 times a second, it can continually monitor whether COMMAND.COM has been loaded yet. Once COMMAND.COM is loaded, the virus takes control of INT 21h effectively bypassing many anti-virus programs which are loaded after COMMAND.COM.
Once control has taken of INT 21h, the virus becomes a Stealth COM/EXE infector. The virus traps the following subfunctions of INT 21h in order to infect files:
3Dh(Open) 3Eh(Close) 43h(Lseek) 41h(Delete) 4Bh(Load and execute program) 6C00h (Extended open/create)
The following functions are trapped to give the virus it's Stealth ability:
11h(Find first/FCB) 12h(Find next/FCB)
Also, when an infected program is executed, the DOS boot record of current disk is infected.
The virus considers a file to be infected if the word before the last byte at the end of a file is equal to 6373h ("cs"). All infected files will also have an invalid time stamp; the seconds field contains 62. The stealth routines in the virus uses this technique to identify infected files.
The virus creates a "garbage" header for every file that is infected. The virus also employs techniques to confuse Heuristic scanners.
Once the damage routine is activated, the virus is effectively able to bypass many programs monitoring INT 13h because during the original address of INT 13h is taken during the boot process.
When virus is active in memory, CHKDSK will give allocation errors. This is due the stealth method used by the virus.
Virus contains two strings: "Crepate (c)1992/93-Italy-(Pisa)" and "Crepa(c) by R.T." The second strings is located right in the end of the infected files and, unlike rest of the code, is unencrypted.