
                            .   .       .  .    .
                           .:: .:.. .. .:.::. :.:.
                       <<-=ЬЫЫЫЫЫЬ.ЬЫЫЫЫЫЬ.ЬЫЫЫЫЫЬ==<
                         .:ЫЫЫ ЫЫЫ:ЫЫЫ ЫЫЫ.ЫЫЫ ЫЫЫ::.
                        :: .ЬЬЬЫЫЯ.ЯЫЫЫЫЫЫ:ЫЫЫЫЫЫЫ .:.
                       .:..ЫЫЫЬЬЬЬ.ЬЬЬЬЫЫЫ.ЫЫЫ ЫЫЫ.::.:
                     .:>===ЫЫЫЫЫЫЫ:ЫЫЫЫЫЫЯ.ЫЫЫ ЫЫЫ==->> .
                   ..: ::. . .:..Laboratories .:.. :.. ::..


                              ANTIVIRUS PATHETISM
                             ДДДДДДДДДДДДДДДДДДДДД

        A history about Ithaqua and technical services sucking big cock

                               by Wintermute/29A



    Ы Introduction


    This article was made due to a test made by the most important spanish
magazine, PcActual, with my colaboration: this magazine, makes an annual
comparison among antiviruses, using thousands of virii for it; this time the
article is released on january 1999 mag by the journalists called Antonio
Ropero and Bernardo Quintero.

    The idea is that this year there was going to be a different test apart
from the detection and cleaning ones. The magazine talked with me so we
could make an interesting test; a test about the technical support services
of the antivirus companies.

    So, Ithaqua was sent to most AV companies; that is AVP, F-Prot/F-Secure,
Thunderbyte, Panda, DrSolomon, Norton, Sophos and Nai. The results can't
be more pathetic from all points of view, and that is what I'm highlighting
in this article.



    Ы What did you send ? Make me a briefing on Ithaqua


    The file sent by the magazine was infected with a bit of... hum, bad
intentionality :). It was infected by using the inserting infection of
Ithaqua virus in COM files: so, as the jmp_to_virus is introduced randomly
inside the COM code if you for example executed it in dos>=7.0, the virus
didn't execute. I remember there was needed another condition, but I dunno
remember mwahaha ;P

    So, this was sent to the AVs listed before, and the mag tested how much
time did they take to make a response, clean it, etc. They of course didn't
say they were a magazine, but a poor user who found the snowing effect from
Ithaqua on his little brother's 386 ( which has problems with the bios stack,
so that it can have a 29th april date ;-)) ).

    And first of all, a brief technical description from Panda Antivirus:


    === Cut ===

    [...]

In particular, Ithaqua  is a particularly complex virus to detect, although
its effects are no more destructive than having your PC completely blocked,
with snowflakes falling down the screen around the message Ithaqua Virus by
Wintermute/29A

Technically speaking,  this is  a multipartite virus of  8030-8542 bytes in
size,  resident in  memory,  which will  become active  on April  29th . It
infects .COM and .EXE files, as well as the Master Boot Record (MBR) in the
hard drive.  Infected files become larger when  the virus code is attached.

The  difficulty in  detecting  and disinfecting  Ithaqua  is rooted  in its
multiple  and varied infection  systems, besides  looking for the  adequate
breeding environment. These systems vary as they infect .COM files by means
of the  EPO (Entry Point  Obscuring) system, which  consists of tracing the
program  code which  will ‘host’ it  and randomly  placing the jump  to the
virus routine.

Meanwhile, the infection method  for .EXE files is the search for cavities.
The size of the  infected file is not increased, and thus its visibility is
minimal. It is necessary  that certain conditions be fulfilled in order for
one of  these infection methods to  work and to find  its adequate breeding
environment. For  instance, the  EPO system in the  .COM extension requires
not only the presence of EMS memory, but also that the files to be infected
are less than 32 KB in size.

In addition, Ithaqua  has a double/simple encryption or stealth system. The
first layer is polymorphic-encrypted, and the second one is just encrypted.
All these  factors make the location  of all the possible  variants of this
virus, both  in .EXE and .COM  files and in the  MasterBoot -which also has
stealth  and  polymorphic-encryption  routines-,  a very  complicated  task
indeed.

    [...]

    === Cut ===



    Ы Antivirus reactions


    Now let's go to fun... shit, if I was an end-user, I would become an
ended-user after reading this; this makes you quite afraid <g>.


        Ы Panda software surprisingly has been the best of the antiviruses
checked out in this comparison. Only 5 hours later than sending the file,
they said they had the whole laboratory working on Ithaqua and sent a
description on how it works, infections, polymorphism, etc, while telling
the "infected user" they had 96% effectivity on cleaning viruses on 24
hours.

        22 hours from when the virus was sent, they gave a solution... bad
stuff that it didn't really work <g>. It detected perfect and cleaned COM
inserting and appending files, but none of the EXE infections ( appending
and cavity ) and nor the MBR one.

        After that, an EXE file was sent to them, as well as to other
antivirus companies ( just to make them have the same opportunities ). Then
again, the response was another actualization that cleans the EXE infections
perfect... but not the MBR ( yuck ! ), which wasn't even detected... tested
with three different MBR infections.

        Anyway, this was the best antivirus working.


        Ы F-Secure had problems reproducting it... also wanted a copy of
the MBR, beeing so stupid to send for that a .bat file that used debug to
get it... by just using int13h, so the stealth fooled it and a clean copy
was sent ( it was supposed to be a normal user :P ). After that there was
attention to the virus and the user and that stuff, so you can't say they
have a bad service...



        Ы AVP antivirus took some time to answer. After some time, they said
it was sent to Kaspersky, and they had some problems becuz they didn't
notice that it infected depending on the operating system and its
characteristics. It took to Kaspersky and his lab SEVEN days to annulate
the virus, who said that it was really complex: " the complex randomly
changing polimorphic engines had to be made by a doctorate in computers
engineering ", said ( rulez, doesn't it :-))) ).

        Well, I haven't had still time to check the cleaning as this article
was written fuckin fast... but there is a funny thing they said, that with
this kind of virus, seven days even if it sounds a long time, is the best
an antivirus company would make to clean such a complex virus hahahaha
( oops, then what is Panda :) )


        Ы NAI antivirus in the beggining lasted 24 hours to say "hum, yeah,
we send it to the french technical service"; that was the only response in
4 days; the fifth day they wrote to say that "yep, there is a virus"... and
non-clean it.


        Ы Thunderbyte antivirus, Norton and Sophos... wow, this really suxzor.
They just said the file WAS NOT infected at all. Do you really work on
viruses you assholes ? The case on Norton was the worst, as they just have
a robot that scans the file and tells ya isn't infected by e-mail as if
it was the technical service... Norton SUCKS BIG COCK :-G



    Ы More info

    If you know spanish <g> in www.pc-actual.com are even the e-mails and so
that the magazine received and the whole test results.