BombTrack, a heavily armoured polymorphic virus, was distributed in BBS systems in the spring of 1994. It was hidden within the player for an erotic animation. Bombtrack is a memory-resident COM and EXE infector, about 2400 bytes long. It allocates 6 kB of DOS memory at runtime and infects executables when they are run. The virus achieves polymorphism by using variable decryptors buried in long runs of non-significant instructions. The virus uses a lot of anti-debugging tricks to prevent disassembly.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.
You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.
Before infection, the virus erases the MSAV and CPAV checksum files. It also carefully avoids infecting popular anti-virus scanners.
The virus contains several bugs. Some variants are not able to reproduce reliably and are, from a virocentric point of view, an evolutionary dead end. The activation routine is supposed to create a directory structure called "\BOMBTRA.CK\NEVER"ne". However, this operation is rather poorly implemented and almost always causes severe file system corruption.
The virus will sometimes infect an executable and fail to modify its entry point. Such files, at first sight similar to successfully infected ones, are not functional since the viral code never gets the chance to be executed. Finally, the virus doesn't take great care of the target's memory requirements: an infected COM file can grow to more than 64 KB and an infected EXE can grow larger than the memory it allocates. Such files are, unable to execute properly.
Bombtrack was the first Belgian polymorphic virus.
Slightly modified variant.
Technical Details:Pierre Vandevenne, DataRescue sprl, Belgium