McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Tremor.4000.A

Characteristics

Tremor is a stealth, polymorphic, memory resident, file infecting virus. It infects COMMAND.COM and .EXE files. It is an "anti anti-virus virus", containing some checks to avoid detection by anti-viral software.

Upon infection, the Tremor virus becomes memory resident at the top of system memory but below the 640K DOS boundary. It hooks interrupts 15 and 21. If, however, upper memory or extended memory is available, the virus installs most of its code in that memory instead, with a hook to it in memory below 640K. Also at this time, the virus infects the copy of COMMAND.COM pointed to by the COMSPEC variable.

Once memory resident, the Tremor virus infects .EXE files as they are executed.

Additional Comments:
The Tremor virus was received in March, 1993, and is from Germany. Tremor is a memory resident infector of COMMAND.COM and .EXE files. It is an "anti anti-virus virus", containing some checks to avoid detection by anti-viral software. When the first Tremor infected program is executed, the Tremor virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, hooking interrupts 15 and 21. If, however, upper memory or extended memory is available, the virus will install most of its code in that memory instead, with a hook to it in memory below 640K. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 4,288 bytes. Also at this time, the virus will infect the copy of COMMAND.COM pointed to by the COMSPEC variable. Once memory resident, the Tremor virus will infect .EXE programs when they are executed, adding 4,000 bytes to the file's length. The file length increase will be hidden when Tremor is resident. The virus will be located at the end of the file. The program's date and time in the DOS disk directory listing will not appear to be altered, but will actually have had 100 added to the years field in the file date. This is the infection marker for the virus. Tremor is an encrypted virus, and no text strings are visible within the viral code in infected programs. Systems infected with the Tremor virus will experience a sluggish system response to commands and program execution. File allocation errors will be detected by the CHKDSK program when the virus is memory resident, but not when Tremor is not in memory. After Tremor has been present on the system for over three months, a slight shaking effect of the contents of the system display may occur accompanied by a system hang. The virus may also occassionally clear the system display and display the following message on the system monitor: "-=> T.R.E.M.O.R was done by NEUROBASHER / May-June '92, Germany <=- -MOMENT-OF-TERROR-IS-THE-BEGINNING-OF-LIFE-" After a few seconds, the system will then return to "normal". The Tremor virus is a full stealth virus, disinfecting programs as they are read into memory. As a result, anti-viral programs which are executed to check file checksums/CRCs, or for the presence of the virus in files without first verifying it isn't in memory, will not find the virus in files. It also checks for the presence of some anti-viral monitoring programs in memory. Additionally, Tremor is polymorphic, and an algorithmic approach must be used for detection.

Symptoms

Systems infected with the Tremor virus may experience a sluggish system response to commands and file execution. File allocation errors can be detected by the CHKDSK program when the virus is memory resident. After Tremor has been present on the system for over three months, a slight shaking effect of the contents of the system display may occur accompanied by a system hang. The virus may also occasionally clear the system display and display the following message on the system monitor:

"-=> T.R.E.M.O.R was done by NEUROBASHER / May-June '92, Germany <=- -MOMENT-OF-TERROR-IS-THE-BEGINNING-OF-LIFE-"

After a few seconds, the system returns to "normal".

The Tremor virus is a full stealth virus, disinfecting files as they are read into memory. As a result, anti-viral files which are executed to check file checksums/CRCs, or for the presence of the virus in files, will not find the virus in files, when the virus is memory resident. It also checks for the presence of some anti-viral monitoring files in memory. Additionally, Tremor is polymorphic, and an algorithmic approach must be used for detection.

Total system and available free memory decreases by 4,288 bytes. Infected files increase in length by 4,000 bytes. The file length increase is hidden when Tremor is resident (Stealth Techniques). The virus is located at the end of the file. The file's date and time in the DOS disk directory listing are altered, 100 is added to the years field in the file date.

Method of Infection

The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.

Removal

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Tremor.4000.A

Characteristics

Characteristics -

Tremor is a stealth, polymorphic, memory resident, file infecting virus. It infects COMMAND.COM and .EXE files. It is an "anti anti-virus virus", containing some checks to avoid detection by anti-viral software.

Upon infection, the Tremor virus becomes memory resident at the top of system memory but below the 640K DOS boundary. It hooks interrupts 15 and 21. If, however, upper memory or extended memory is available, the virus installs most of its code in that memory instead, with a hook to it in memory below 640K. Also at this time, the virus infects the copy of COMMAND.COM pointed to by the COMSPEC variable.

Once memory resident, the Tremor virus infects .EXE files as they are executed.

Additional Comments:
The Tremor virus was received in March, 1993, and is from Germany. Tremor is a memory resident infector of COMMAND.COM and .EXE files. It is an "anti anti-virus virus", containing some checks to avoid detection by anti-viral software. When the first Tremor infected program is executed, the Tremor virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, hooking interrupts 15 and 21. If, however, upper memory or extended memory is available, the virus will install most of its code in that memory instead, with a hook to it in memory below 640K. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 4,288 bytes. Also at this time, the virus will infect the copy of COMMAND.COM pointed to by the COMSPEC variable. Once memory resident, the Tremor virus will infect .EXE programs when they are executed, adding 4,000 bytes to the file's length. The file length increase will be hidden when Tremor is resident. The virus will be located at the end of the file. The program's date and time in the DOS disk directory listing will not appear to be altered, but will actually have had 100 added to the years field in the file date. This is the infection marker for the virus. Tremor is an encrypted virus, and no text strings are visible within the viral code in infected programs. Systems infected with the Tremor virus will experience a sluggish system response to commands and program execution. File allocation errors will be detected by the CHKDSK program when the virus is memory resident, but not when Tremor is not in memory. After Tremor has been present on the system for over three months, a slight shaking effect of the contents of the system display may occur accompanied by a system hang. The virus may also occassionally clear the system display and display the following message on the system monitor: "-=> T.R.E.M.O.R was done by NEUROBASHER / May-June '92, Germany <=- -MOMENT-OF-TERROR-IS-THE-BEGINNING-OF-LIFE-" After a few seconds, the system will then return to "normal". The Tremor virus is a full stealth virus, disinfecting programs as they are read into memory. As a result, anti-viral programs which are executed to check file checksums/CRCs, or for the presence of the virus in files without first verifying it isn't in memory, will not find the virus in files. It also checks for the presence of some anti-viral monitoring programs in memory. Additionally, Tremor is polymorphic, and an algorithmic approach must be used for detection.

Symptoms

Symptoms -

Systems infected with the Tremor virus may experience a sluggish system response to commands and file execution. File allocation errors can be detected by the CHKDSK program when the virus is memory resident. After Tremor has been present on the system for over three months, a slight shaking effect of the contents of the system display may occur accompanied by a system hang. The virus may also occasionally clear the system display and display the following message on the system monitor:

"-=> T.R.E.M.O.R was done by NEUROBASHER / May-June '92, Germany <=- -MOMENT-OF-TERROR-IS-THE-BEGINNING-OF-LIFE-"

After a few seconds, the system returns to "normal".

The Tremor virus is a full stealth virus, disinfecting files as they are read into memory. As a result, anti-viral files which are executed to check file checksums/CRCs, or for the presence of the virus in files, will not find the virus in files, when the virus is memory resident. It also checks for the presence of some anti-viral monitoring files in memory. Additionally, Tremor is polymorphic, and an algorithmic approach must be used for detection.

Total system and available free memory decreases by 4,288 bytes. Infected files increase in length by 4,000 bytes. The file length increase is hidden when Tremor is resident (Stealth Techniques). The virus is located at the end of the file. The file's date and time in the DOS disk directory listing are altered, 100 is added to the years field in the file date.

Method of Infection

Method of Infection -

The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.

Removal -

Removal -

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants -

N/A