Summary

The Crepate virus was found in Italy in August 1993. It has some quite advanced methods, such as variable encryption, multipartite infection and semi-stealth capabilities. Crepate infects hard disk master boot records, floppy DOS boot records and COM, EXE and Overlay files.

Additional Details

The virus has several phases of execution. When an infected file is executed on an uninfected system, it will install it's own modified boot sector on the primary hard disk. The original boot sector is stored along with the virus code which all in all occupies 7 sectors. The virus makes no attempt to mark these sectors as bad; the contents of the selected sectors are simply overwritten. After this stage has been completed, the virus will check the date by reading the Real Time Clock. (INT 1Ah function 4) If the day is the 22nd, the virus will completely format the primary hard disk.

The second phase of execution begins when the computer is rebooted. The boot sector code that the virus installed in the first phase will then load the main body of virus code into memory. The main virus code takes control of INT 1Ch installing a routine which checks if COMMAND.COM has been loaded by the system boot code. After installing this routine, the virus executes the original boot code and the boot process continues as normal. Since INT 1Ch is called 18.2 times a second, it can continually monitor whether COMMAND.COM has been loaded yet. Once COMMAND.COM is loaded, the virus takes control of INT 21h effectively bypassing many anti-virus programs which are loaded after COMMAND.COM.

Once control has taken of INT 21h, the virus becomes a Stealth COM/EXE infector. The virus traps the following subfunctions of INT 21h in order to infect files:

        3Dh      (Open)
        3Eh      (Close)
        43h      (Lseek)
        41h      (Delete)
        4Bh      (Load and execute program)
        6C00h    (Extended open/create)

The following functions are trapped to give the virus it's Stealth ability:

        11h      (Find first/FCB)
        12h      (Find next/FCB)

Also, when an infected program is executed, the DOS boot record of current disk is infected.

The virus considers a file to be infected if the word before the last byte at the end of a file is equal to 6373h ("cs"). All infected files will also have an invalid time stamp; the seconds field contains 62. The stealth routines in the virus uses this technique to identify infected files.

The virus creates a "garbage" header for every file that is infected. The virus also employs techniques to confuse Heuristic scanners.

Once the damage routine is activated, the virus is effectively able to bypass many programs monitoring INT 13h because during the original address of INT 13h is taken during the boot process.

When virus is active in memory, CHKDSK will give allocation errors. This is due the stealth method used by the virus.

Virus contains two strings: "Crepate (c)1992/93-Italy-(Pisa)" and "Crepa(c) by R.T." The second strings is located right in the end of the infected files and, unlike rest of the code, is unencrypted.

[Analysis: Jeremy Gumbley, Symbolic, Parma]