Threat Description

EkoTerror

Details

Aliases: EkoTerror
Category: Malware
Type:
Platform: W32

Summary



This virus contains a lot of bugs but also some quite sophisticated routines like stealth capabilities and debug tricks. The virus may be have escaped from its developer when still in beta.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



EkoTerror set a lot of conditions and therefore spreads slowly. It infects COM files and hard disk master boot sectors (MBR). It may infect a file more than once.

The virus moves the original MBR and partition table to sector 5 of the hard disk, overwriting the original ones with its own code.

Due to a bug in the virus, most computers do not boot after the MBR has been infected.

The virus contains the following text:

Copyright (C) 1984 BORLAND Inc

This probably means that the virus was compiled with a Borland compiler.

EkoTerror activates on random dates when the computer is booted. It displays the following message at system startup:

 EkoTerror (C) 1991  ATK-toimisto P.Linkola Oy
   Kovalevysi on poistettu kaytast. luonnonsuojelun nimessaa
   Vihre.ss. yhteiskunnassa ei saa olla ydins.hk.ll. toimivia kovalevyj..

The message is in Finnish and reads:

 EkoTerror (C) 1991  ATK-toimisto P.Linkola Oy
   Your hard disk has been disabled for protecting the environment.
   There must not be any nuclear powered hard disks in a green society.

While displaying the message, the virus overwrites the first sectors of the hard disk. After overwriting them, it hangs the computer by entering an infinite loop.

EkoTerror was reported to be in the wild in Finland in June 1992.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More