McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Linux/Etap

• Win32.Simile (NAV)

Characteristics

-- Update 6/4/2003 --
Detection of W32/Etap was restricted to the latest engines (4240, 4260+) because they have built-in technology to search for entry-point obfuscating viruses much quicker. It has to be noted that AVERT had no reports of W32/Etap from the field for many months.
--

-- Update 5/15/2002 --
A new version known as Etap.d has been recently discovered. It infects both Win32 PE and Linux ELF files. Detection for the Linux strain went in the 4204 DAT set. This makes it the first polymorphic as well as the first entry-point-obfuscating virus for Linux.
--

-- Update 4/11/2002 --
The detection of W32/Etap has been improved over the last few weeks, so that most users should not notice a slowdown from this detection. If you are able to isolate a specific file that takes an unusually long time to scan, please send a copy to virus_research@avertlabs.com and mention that you are sending it because of the slowdown.
--

-- Update 4/03/2002 --
Since 4194 DATs the detection of this virus no longer requires "Program Heuristic" mode.
--

When an infected file is run, it infects other Win32 files on the system. The virus prefers to hit applications written in the C language and is more likely to hit OS files rather than normal applications. This virus carries a string "Metaphor v1 by The Mental Driller/29A ". It is not visible in infected files but this string (with the lettercase changed randomly) is displayed on the 17th of March, June, September and December:

On the 14th of May, on systems with Hebrew character support, the virus will display a message box saying "Free Palestine! ".

This virus is polymorphic and uses entry-point obfuscation technique. When infecting, the virus replaces all "ExitProcess" calls in the host file with obfuscated jumps on a polymorphic decryptor. The obfuscated polymorphic jump, the polymorphic decryptor, and the encrypted body of the virus can be anywhere in the host file which makes detection a difficult task.

Although detection is complex, AVERT has decided to include detection using the ActiveDAT technology in the scanning engine and DATs. As a consequence, some users may notice a slight performance decrease after updating to 4189 DATs. This is a necessary tradeoff for obtaining detection of a known "in the wild" virus. To allow users some flexibility, AVERT has included detection for this virus ONLY when the "Program Heuristics" option is turned on. AVERT will continue to work on improving the detection of this virus to reduce the impact users may see. Improvements will eventually be noticed in future DATs.

The sample of this virus was sent on 14 Feb 2002 to fourteen different AV companies by the virus author. In about 2 weeks the virus sample was also circulated in an electronic magazine distributed by 29A virus writing group (version 1b). A slight modification of the same virus was created from the published ASM sources, where it carries a different string ("Deutsche Telekom by Energy 2002*g** ") displayed on the 18th of March, June, September and December:

This variant also carries a string: "Heavy Good Code! " but it is almost never displayed.

Symptoms

The infected files grow in size by about 100,000 bytes (can vary greatly). Some of them no longer run. There are no visible virus-related strings in infected files.

Method of Infection

Infects Win32 applications with an ".EXE" extension, only in folders not starting with letter "W". The virus also avoids programs with a letter "V" in the name or starting with "F-", "PA", "SC", "DR" and "NO". However it lists all available network drives and looks for potential writeable targets there. After the infection, date and timestamp of files do not change.

In most targets the virus wipes out the relocation section of the host file. Files can still run but this makes proper cleaning impossible.

Removal

All Users:
Use current engine and DAT files for detection. Replace files not cleaned with backup copies.

Additional Windows ME/XP removal considerations

Variants

Variants

• W32/Etap.a
• W32/Etap.b
• W32/Etap.d

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Linux/Etap

• Win32.Simile (NAV)

Characteristics

Characteristics -

-- Update 6/4/2003 --
Detection of W32/Etap was restricted to the latest engines (4240, 4260+) because they have built-in technology to search for entry-point obfuscating viruses much quicker. It has to be noted that AVERT had no reports of W32/Etap from the field for many months.
--

-- Update 5/15/2002 --
A new version known as Etap.d has been recently discovered. It infects both Win32 PE and Linux ELF files. Detection for the Linux strain went in the 4204 DAT set. This makes it the first polymorphic as well as the first entry-point-obfuscating virus for Linux.
--

-- Update 4/11/2002 --
The detection of W32/Etap has been improved over the last few weeks, so that most users should not notice a slowdown from this detection. If you are able to isolate a specific file that takes an unusually long time to scan, please send a copy to virus_research@avertlabs.com and mention that you are sending it because of the slowdown.
--

-- Update 4/03/2002 --
Since 4194 DATs the detection of this virus no longer requires "Program Heuristic" mode.
--

When an infected file is run, it infects other Win32 files on the system. The virus prefers to hit applications written in the C language and is more likely to hit OS files rather than normal applications. This virus carries a string "Metaphor v1 by The Mental Driller/29A ". It is not visible in infected files but this string (with the lettercase changed randomly) is displayed on the 17th of March, June, September and December:

On the 14th of May, on systems with Hebrew character support, the virus will display a message box saying "Free Palestine! ".

This virus is polymorphic and uses entry-point obfuscation technique. When infecting, the virus replaces all "ExitProcess" calls in the host file with obfuscated jumps on a polymorphic decryptor. The obfuscated polymorphic jump, the polymorphic decryptor, and the encrypted body of the virus can be anywhere in the host file which makes detection a difficult task.

Although detection is complex, AVERT has decided to include detection using the ActiveDAT technology in the scanning engine and DATs. As a consequence, some users may notice a slight performance decrease after updating to 4189 DATs. This is a necessary tradeoff for obtaining detection of a known "in the wild" virus. To allow users some flexibility, AVERT has included detection for this virus ONLY when the "Program Heuristics" option is turned on. AVERT will continue to work on improving the detection of this virus to reduce the impact users may see. Improvements will eventually be noticed in future DATs.

The sample of this virus was sent on 14 Feb 2002 to fourteen different AV companies by the virus author. In about 2 weeks the virus sample was also circulated in an electronic magazine distributed by 29A virus writing group (version 1b). A slight modification of the same virus was created from the published ASM sources, where it carries a different string ("Deutsche Telekom by Energy 2002*g** ") displayed on the 18th of March, June, September and December:

This variant also carries a string: "Heavy Good Code! " but it is almost never displayed.

Symptoms

Symptoms -

The infected files grow in size by about 100,000 bytes (can vary greatly). Some of them no longer run. There are no visible virus-related strings in infected files.

Method of Infection

Method of Infection -

Infects Win32 applications with an ".EXE" extension, only in folders not starting with letter "W". The virus also avoids programs with a letter "V" in the name or starting with "F-", "PA", "SC", "DR" and "NO". However it lists all available network drives and looks for potential writeable targets there. After the infection, date and timestamp of files do not change.

In most targets the virus wipes out the relocation section of the host file. Files can still run but this makes proper cleaning impossible.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection. Replace files not cleaned with backup copies.

Additional Windows ME/XP removal considerations

Variants

Variants -

• W32/Etap.a
• W32/Etap.b
• W32/Etap.d