McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Crusher

• Crusher.mp.2048

Characteristics

CRUSHER is a memory resident, stealth Multi-partite Virus. It infects hard disk Master Boot Records (MBR) and .EXE files.

Upon infection, the CRUSHER virus infects the system hard disk MBR. It writes an unencrypted copy of the viral code to Side 0, Cylinder 0, sectors 2 through 5, and then alters the hard disk MBR so that this code is executed the next time the system is booted from the hard disk. It does not become memory resident at this time.

The next time the system is booted from the system hard disk, the CRUSHER virus becomes memory resident at the top of system memory but below the 640K DOS boundary. Interrupt 21 is hooked by CRUSHER in memory.

Once the CRUSHER virus is memory resident, it infects .EXE files as they are executed.

Additional Comments:
The Crusher virus was submitted in November, 1992. It is from The Netherlands. Crusher is a memory resident infector of the hard disk master boot sector (partition table) and .EXE programs. It employs some stealth techniques to avoid detection. The first time a program infected with the Crusher virus is executed, the Crusher virus will infect the system hard disk master boot sector. It writes an unencrypted copy of the viral code to Side 0, Cylinder 0, sectors 2 thru 5, and then alters the hard disk master boot sector so that this code will be executed the next time the system is booted from the hard disk. It does not become memory resident at this time. The next time the system is booted from the system hard disk, the Crusher virus will become memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 2,064 bytes. Interrupt 21 will be hooked by Crusher in memory. Once the Crusher virus is memory resident, it will infect .EXE programs when they are executed. Infected programs will have a file length increase of 2,048 bytes, though the file length increase will be hidden when the virus is active in memory. The file's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the viral code: "Crusher" "You are damned" "Bit Addict / Trident" The Crusher virus will occassionally display the above text when it is memory resident. Infected systems will also experience cross-linking of files.

Symptoms

The following text strings are encrypted within the viral code:

"CRUSHER"
"You are damned"
"Bit Addict / Trident"

The CRUSHER virus occasionally displays the above text when it is memory resident. Infected systems also experience cross-linking of files.

Total system and available free memory decreases by 2,048 bytes. Infected files have a file length increase of 2,048 bytes. The file length increase is hidden when the virus is active in memory (Stealth techniques). The file's date and time in the DOS disk directory listing are not altered.

Method of Infection

Multi-partite viruses have two main routes of infection; either as a Master Boot Record/Boot Sector Virus or as a File Infecting Virus.

Most infections occur when a computer attempts to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred.

Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

The second route of infection is by receiving an infected file through a multitude of sources including: floppy diskettes, downloads through an online service, network, modem connections, etc. Once the infected file is executed, the virus may activate.

Removal

-

Variants

Variants

• Crusher/sex666
• Sex-666
• Sex666.mp.2048

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Crusher

• Crusher.mp.2048

Characteristics

Characteristics -

CRUSHER is a memory resident, stealth Multi-partite Virus. It infects hard disk Master Boot Records (MBR) and .EXE files.

Upon infection, the CRUSHER virus infects the system hard disk MBR. It writes an unencrypted copy of the viral code to Side 0, Cylinder 0, sectors 2 through 5, and then alters the hard disk MBR so that this code is executed the next time the system is booted from the hard disk. It does not become memory resident at this time.

The next time the system is booted from the system hard disk, the CRUSHER virus becomes memory resident at the top of system memory but below the 640K DOS boundary. Interrupt 21 is hooked by CRUSHER in memory.

Once the CRUSHER virus is memory resident, it infects .EXE files as they are executed.

Additional Comments:
The Crusher virus was submitted in November, 1992. It is from The Netherlands. Crusher is a memory resident infector of the hard disk master boot sector (partition table) and .EXE programs. It employs some stealth techniques to avoid detection. The first time a program infected with the Crusher virus is executed, the Crusher virus will infect the system hard disk master boot sector. It writes an unencrypted copy of the viral code to Side 0, Cylinder 0, sectors 2 thru 5, and then alters the hard disk master boot sector so that this code will be executed the next time the system is booted from the hard disk. It does not become memory resident at this time. The next time the system is booted from the system hard disk, the Crusher virus will become memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 2,064 bytes. Interrupt 21 will be hooked by Crusher in memory. Once the Crusher virus is memory resident, it will infect .EXE programs when they are executed. Infected programs will have a file length increase of 2,048 bytes, though the file length increase will be hidden when the virus is active in memory. The file's date and time in the DOS disk directory listing will not be altered. The following text strings are encrypted within the viral code: "Crusher" "You are damned" "Bit Addict / Trident" The Crusher virus will occassionally display the above text when it is memory resident. Infected systems will also experience cross-linking of files.

Symptoms

Symptoms -

The following text strings are encrypted within the viral code:

"CRUSHER"
"You are damned"
"Bit Addict / Trident"

The CRUSHER virus occasionally displays the above text when it is memory resident. Infected systems also experience cross-linking of files.

Total system and available free memory decreases by 2,048 bytes. Infected files have a file length increase of 2,048 bytes. The file length increase is hidden when the virus is active in memory (Stealth techniques). The file's date and time in the DOS disk directory listing are not altered.

Method of Infection

Method of Infection -

Multi-partite viruses have two main routes of infection; either as a Master Boot Record/Boot Sector Virus or as a File Infecting Virus.

Most infections occur when a computer attempts to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred.

Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

The second route of infection is by receiving an infected file through a multitude of sources including: floppy diskettes, downloads through an online service, network, modem connections, etc. Once the infected file is executed, the virus may activate.

Removal -

Removal -

-

Variants

Variants -

• Crusher/sex666
• Sex-666
• Sex666.mp.2048