Details
Win.Homer family

These are “memory resident” viruses infecting NewEXE (Windows) files. They were written in C++ and have quite big sizes: from 40K to 54K. There are five known virus versions, they were received as “germs” (first generation samples). Only two of them are able to replicate, other cannot replicate themselves because of bugs.
When an infected file is executed, the virus hooks INT 21h and stays in Windows memory as a task. This task is visible (i.e. it has its Window) or hidden (not visible) depending on the virus version. INT 21h is hooked in one of several ways depending on the virus version - real/protect mode DPMI, or Windows API hooking. When a NewEXE file is executed, the virus infects it - writes its code to the end of the file and modifies the file’s NewEXE header.
Several virus versions also hook network services. The virus source code has a text that says that “Homer” is able to upload itself to an ftp server in “incoming” directory - the virus intercepts user’s login to the remote server, waits when login procedure is complete, then creates its copy on C: drive and uploads it to server by using the File Transfer Protocol (FTP). We did no tests with this virus’ ability, but the virus source code seems to have no bugs. Anyway, this is one of the first steps that modern viruses do to affect global nets. Maybe we are looking at the beginning of a new era of global net worms.
The virus source code has the comment:
HOMER virus by Kernel Panik, Italy, april 1997

Related Posts

This entry was posted on Wednesday, June 25th, 2008 at 7:50 am and is filed under Virus Threats.