Win32.Etap
Etap is a very complex parasitic {high-polymorphic:Poly} Win32 virus that uses the entry-point obscuring technique. The virus infects Windows executable files (Win32 PE EXE). When run the virus searches for these files and infects them.
Replication
The virus searches for Win32 PE executable files in the current directory
and in the directories located in the three levels above the current directory.
It also searches for executable files on available network drives and on
removable media. If a directory's name begins with "W" it infects the exe
files contained within. The virus doesn't infect files if their names begin
with the following:
F-
PA
SC
DR
NO
'Etap' also spares files with names containing the letter 'V' and depending on random counter values.
While infecting files the virus rebuilds and encrypts its body and writes it to one of the host file's sections. Then, it searches for and replaces one of the 'alls' to the "ExitProcess" function in the host's code section with the 'call' to the viral code.
Payload
Depending on the system date and whether the infected host file imports
the Windows library User32.dll file the virus may display messages, such
as:
On May, 14th:
"Free Palestine!"
or
On March, June, September, December, 17h:
"Metaphor V1 by the Mental Driller/29a", or
"Metaphor 1b by the Mental Driller/29a"
The latter message's letters may be randomly selected.
We thank you ALL for your kind votes which made this site FIRST in two categories.
A 10 vote = Very Good
A 1 vote = Waste of cyber Space !
ALL those sending emails of thanks are kindly requested to indicate whether these are for publication.
IMPORTANT NOTICE:
ALL those who are receiving this advise
and in the "name" field they find 'FAILED' and a 6 or 8 digit figure
after it, should be advised that at least once, emails to that address
have been received back by us. As the list of subscribers now exceeds 100,000, and since this
is a free service, we kindly urge you to become a registered
subscriber to this service and ensure delivery by subscribing under
a reliable email address. WE REGRET THAT AS AFTER THIS ISSUE,
ALL ADDRESSES THAT ARE NOT DELIVERABLE WILL BE REMOVED FROM THE LIST.
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty
of any kind. In no event shall we be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages.
PLEASE ADVISE ALL YOUR FRIENDS ON YOUR LIST
PLEASE ALSO NOTE THE FOLLOWING:
1) You are currently SUBSCRIBED to our mailing list
2) If you are receiving more than one copy of this warning please click here
3) If you DO NOT wish to receive anymore of these alerts, please click here
4) YOUR friends are also welcome to be on the VIRUS ALERT but an email has to be
sent to the Webmaster by themselves so that a record of all requests can be kept in case
somebody cries "SPAM" ! Simply click here
and send the email as it appears.
5) THIS IS A FREE SERVICE RUN IN THE PUBLIC INTEREST BY
6) ALSO PLEASE BE ADVISED THAT YOUR EMAIL WILL
NEVER BE SOLD, EXCHANGED OR IN ANYWAY WHATSOEVER DISCLOSED TO ANYBODY ELSE.
******
Fabian Brincat
Webmaster
Fabian Enterprises Ltd.
SEE PREVIOUS VIRUS ALERT
RETURN TO VIRUS ALERT MAIN INDEX
©ALL MATERIAL IS PROTECTED BY COPYRIGHT LAWS AND MAY NOT BE REPRODUCED IN ANY FORM WHATSOEVER WITHOUT THE PRIOR WRITTEN CONSENT OF THE WEBMASTER.
All Trade names and Trade marks
are hereby acknowledged as being the property of the Registered Owners
181202/100904/031004
