Behavior
The virus checks if it is already memory, searching for the value 0AD75h. If WIN.SYS is found in the root of drive C:, it will not become memory resident or infect files. If neither of these conditions exists, the virus becomes memory resident. It infects any Windows Portable Executable. Blackbat avoids infecting files with "AV", "AN", and "F-" in their names, effectively preventing it from attacking antivirus products. It appends its code to the end of the file.
On December 8, the virus delivers a payload, displaying the message box "Happy BirthDay :-)".
Origin
Blackbat was written by Rohitab, who published it in issue 6 of 29A magazine. Its copyright date is 1999, but no more specific date was given. In addition, Issue 6 of 29A was released in 2004. Its location of origin is in all likelihood India, as during 1999, Rohitab was in his last semester at Kurukshetra University and later working at DCM Technologies, according to his resume.
Advanced features include Anti-Debugging Code and use of Structured Exception Handling. The virus will not infect computers that have WIN.SYS located in the root directory. The file time and date restored after infection. The virus will not infect Anti-Virus programs like Norton Anti-Virus, TBAV, McAfee, F-Prot and a few others.
Source Code
Blackbat Virus Source Code 1.0 - - Non Destructive Virus
No comments:
Post a Comment