Distributed By Amateur Virus Creation & Research Group (AVCR) Name Of Virus: OOHLALA2 ----------------------------------------------------------------------------- Alias: None ----------------------------------------------------------------------------- Type Of Code: Encrypte EXE & COM infector, Non-Mem-resident ----------------------------------------------------------------------------- VSUM Information - (NONE) ----------------------------------------------------------------------------- Antivirus Detection: (1) ThunderByte Anti Virus (TBAV) reported infected files as "Possible Virus" (2) Frisk Software's F-Protect (F-PROT) reported infected files as Nothing. (3) McAfee Softwares Anti Virus (SCAN.EXE) reported infected files as nothing. (4) MicroSoft Anti Virus (MSAV.EXE) reported infected files as nothing. ----------------------------------------------------------------------------- Execution Results: Upon execution, it displays the following- "Ohhhh La La! Mommmy, Theyre Teasing me again Shut up you little sonsuvbitches" Then plays a nice little tune. Before the tune starts, it nails 6 files total, COM & EXE... Either one. ----------------------------------------------------------------------------- Cleaning Recommendations:Delete Infected or TBAV (using Anti-Vir.dat..) ----------------------------------------------------------------------------- My Notes: This virus is a non-resident infector of EXE & COM files, except Command.com. It will not (that I found) infect files under 1K in size of either ext. EXE's show up as 1960 larger than before, but COM files didn't until I rebooted the PC... (?) Maybe My PC glitched... I Dunno... ----------------------------------------------------------------------------- Disassembly of the OOHLALA2 Virus ----------------------------------------------------------------------------- I found all EXE files to contain this string... "BF 10 01 06 1E 06 89 FE 81 EE 00 01 32 E4" All COM files had.... "BF ?8 ?? 06 1E 06 89 FE 81 EE 00 01 32 E4" So, just add this to your scanner... No problemo.... "06 1E 06 89 FE 81 EE 00 01 32 E4" ----------------------------------------------------------------------------- 'Till next time, I'm The W$l, and you're not.......