-- Update 6/4/2003 --
Detection of W32/Etap was restricted to the latest engines (4240, 4260+) because they have built-in technology to search for entry-point obfuscating viruses much quicker. It has to be noted that AVERT had no reports of W32/Etap from the field for many months.
-- Update 5/15/2002 --
A new version known as Etap.d has been recently discovered. It infects both Win32 PE and Linux ELF files. Detection for the Linux strain went in the 4204 DAT set. This makes it the first polymorphic as well as the first entry-point-obfuscating virus for Linux.
-- Update 4/11/2002 --
The detection of W32/Etap has been improved over the last few weeks, so that most users should not notice a slowdown from this detection. If you are able to isolate a specific file that takes an unusually long time to scan, please send a copy to email@example.com
and mention that you are sending it because of the slowdown.
-- Update 4/03/2002 --
Since 4194 DATs the detection of this virus no longer requires "Program Heuristic" mode.
When an infected file is run, it infects other Win32 files on the system. The virus prefers to hit applications written in the C language and is more likely to hit OS files rather than normal applications. This virus carries a string "Metaphor v1 by The Mental Driller/29A
". It is not visible in infected files but this string (with the lettercase changed randomly) is displayed on the 17th of March, June, September and December:
On the 14th of May, on systems with Hebrew character support, the virus will display a message box saying "Free Palestine!
This virus is polymorphic and uses entry-point obfuscation technique. When infecting, the virus replaces all "ExitProcess" calls in the host file with obfuscated jumps on a polymorphic decryptor. The obfuscated polymorphic jump, the polymorphic decryptor, and the encrypted body of the virus can be anywhere in the host file which makes detection a difficult task.
Although detection is complex, AVERT has decided to include detection using the ActiveDAT technology in the scanning engine and DATs. As a consequence, some users may notice a slight performance decrease after updating to 4189 DATs. This is a necessary tradeoff for obtaining detection of a known "in the wild" virus. To allow users some flexibility, AVERT has included detection for this virus ONLY when the "Program Heuristics" option is turned on. AVERT will continue to work on improving the detection of this virus to reduce the impact users may see. Improvements will eventually be noticed in future DATs.
If this virus is detected on your computer, please report it to AVERT by sending an e-mail to firstname.lastname@example.org
The sample of this virus was sent on 14 Feb 2002 to fourteen different AV companies by the virus author. In about 2 weeks the virus sample was also circulated in an electronic magazine distributed by 29A virus writing group (version 1b). A slight modification of the same virus was created from the published ASM sources, where it carries a different string ("Deutsche Telekom by Energy 2002*g**
") displayed on the 18th of March, June, September and December:
This variant also carries a string: "Heavy Good Code!
" but it is almost never displayed.
||discovered on 14 Feb 2002 (requires 4189 DATs)
||discovered on 06 Mar 2002 (requires 4189 DATs)
||Many replicants of W32/Etap.d are detected generically with 4189 DATs as W32/Etap with program heuristics enabled. The specific Linux/Etap.d detection was added to the 4204 DATs while W32/Etap.d detection was added to the 4205 DATs.