Note: F-Secure Anti-Virus 4.02 used to have a false alarm of Tremor in a file called EABGCSC.DLL from a Dutch accounting program. The file is clean - ignore the false alarm. Version 4.03 fixes this problem.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
The Tremor virus, which was first spotted in Germany in late 1993, spread itself in the beginning of May, 1994, in quite a peculiar fashion. It was spread far and wide over Europe via the PRO-7 TV channel owned by the German company Channel Videodat.
The PRO-7 channel, which reaches most parts of Europe via satellite or cable TV, is used to distribute computer programs in addition to broadcasting normal TV transmissions. These programs can be transferred from the channel into a computer by using a special decoder. 60.000 computer users are estimated to receive data through the channel, but it is not known how many of them caught the virus.
The virus research center of Karlsruhe University (Micro-BIT Virus Center) contacted Channel Videodat about a week after the fateful transmission, but at the time the company denied anything had happened. The anti-virus program used by the company was found out to be unable to spot Tremor, however, and a week-and-a-half later Channel Videodat began to broadcast warnings and anti-virus programs to its viewers several times a day.
The virus had infected, and spread with, the PKUNZIP.EXE program transmitted together with a ZIP-packed anti-virus program. The program had become infected in a Dusseldorf-based software shop which supplies programs to Channel Videodat. The anti-virus program itself was originally clean, but it was unable to detect the Tremor virus.
Tremor is a retrovirus designed to attack several different checker- and anti-virus programs. It is a self-encrypting virus with great polymorphic abilities, capable of creating billions of different-looking copies of itself. Besides utilizing the usual random numbers, Tremor takes advantage of the data in a computer when it changes its code. This characteristic makes the virus hard to spot. Since Tremor's outlook varies considerably from computer to computer, anti-virus experts had some difficulties in producing a good sample of the virus for testing.
The virus is a difficult to detect, especially so when it is in memory, because it employs complex stealth virus techniques. In this respect, Tremor is a remarkable virus. It can make it seem like no additional code is present in infected files, even though its appearance changes during every infection. Few other viruses do the same.
When a Tremor-infected program is executed for the first time, the virus decrypts its code and checks the date in the computer's clock. If more than three months have passed since the original infection date, the virus activates. If the time is not yet up, Tremor checks the operating system's version number and, should the version be older than 3.30, allows the execution of the host program to proceed normally.
If the operating system's version number is 3.30 or greater, the virus searches the memory for a program using the interrupt 01h's function 30h. If the virus detects such a program, it allows the execution of the host program to proceed normally and does not install itself into memory. Most likely Tremor performs the check in order to avoid being detected by some anti-virus program using the interrupt 01h.
After having checked the interrupt 01h, the virus installs itself into memory. Tremor's way of installing itself into memory is unique; it copies itself into extended- or high memory, if such memory areas are available in the computer. If not, the virus installs itself into the upper part of conventional memory.
After having performed all its checks, Tremor automatically infects the command interpreter indicated by the COMSPEC environment variable. Afterwards, the virus can always get into memory before most anti-virus programs.
While active in memory, the virus is able to prevent several different anti-virus applications from detecting itself. It monitors the computer's functioning constantly and, should it detect certain checks being made, either cancels them altogether or prevents them from spotting itself. If Tremor discovers the presence of either Central Point Anti-Virus or Microsoft Anti-Virus, it blocks the functioning of their memory-resident parts. The virus can thereafter function without either CPAV or MSAV noticing it.
The virus is capable of taking advantage of several different procedures, such as the execution or copying of programs, to infect COM- and EXE files. Tremor checks how a file's name begins before infecting the file. If the name begins with the character combinations CH, ME, MI, F2, F-, SY, SI or PM, the virus makes certain changes to memory to avoid detection.
Tremor marks the infected files by adding one hundred years to the file's date of modification. This addition is not readily noticeable, because DOS usually displays only the last two numbers of the year in a date. If the virus notices that some program is trying to read the file, it changes the date back to normal and deletes its code from the file before allowing it to be read.
The copies of infected files do not carry the infection if the copying is done while the virus is active in memory, because Tremor removes its code from the source files when they are read. Therefore, the only likely situation in which the virus can infect a diskette is when a user executes a program from a diskette that is not write-protected. Because of this, Tremor spreads from one computer to another quite slowly.
The virus contains two separate activation routines. The first routine shakes the picture on the screen for a moment, after which it jams the computer. This happens only on very rare, random occasions.
The second activation routine hijacks the interrupt 15h. The interrupt 15h is quite rarely used, since the practically only applications to take advantage of it are certain DOS multiprocessing environments, such as DesqView. Some programs do, however, use INT 15h to set the processor into protected mode. The activation routine is executed if another program tries to use the interrupt 15h, after which Tremor clears the screen and displays the text "T.R.E.M.O.R. was done by NEUROBASHER / May-June '92, Germany, -MOMENT-OF-TERROR-IS-THE-BEGINNING-OF-LIFE-".
The sentence "Moment of terror is the beginning of life" has been borrowed from FRONT 242, a Belgian techno/industrial band. The sentence is printed on the inner envelope of their Front-By-Front album. Neurobasher is one of their songs.
Tremor was the first known polymorphic stealth virus. After Tremor, viruses like Uruguay, Natas and Neuroquila have implemented similar functionality.
Description Created: Mikko Hypponen, F-Secure