EkoTerror

Classification

Malware

-

-

EkoTerror

Summary

This virus contains a lot of bugs but also some quite sophisticated routines like stealth capabilities and debug tricks. The virus may be have escaped from its developer when still in beta.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

EkoTerror set a lot of conditions and therefore spreads slowly. It infects COM files and hard disk master boot sectors (MBR). It may infect a file more than once.

The virus moves the original MBR and partition table to sector 5 of the hard disk, overwriting the original ones with its own code.

Due to a bug in the virus, most computers do not boot after the MBR has been infected.

The virus contains the following text:

Copyright (C) 1984 BORLAND Inc

This probably means that the virus was compiled with a Borland compiler.

EkoTerror activates on random dates when the computer is booted. It displays the following message at system startup:

 EkoTerror (C) 1991
ATK-toimisto P.Linkola Oy

Kovalevysi on poistettu kaytast. luonnonsuojelun nimessaa

Vihre.ss. yhteiskunnassa ei saa olla ydins.hk.ll. toimivia kovalevyj..

The message is in Finnish and reads:

 EkoTerror (C) 1991
ATK-toimisto P.Linkola Oy

Your hard disk has been disabled for protecting the environment.

There must not be any nuclear powered hard disks in a green society.

While displaying the message, the virus overwrites the first sectors of the hard disk. After overwriting them, it hangs the computer by entering an infinite loop.

EkoTerror was reported to be in the wild in Finland in June 1992.