Virus Name:  Tremor
Aliases:
V Status:    New
Discovered:  March, 1993
Symptoms:    .COM & .EXE growth; ecrease in total system and available 
		   free memory; minor shaking of system display; message
Origin:      Germany
Eff Length:  4,000 Bytes
Type Code:   PRhEK - Parasitic Resident COMMAND.COM & .EXE Infector
Detection Method:  F-Prot 2.07+
Removal Instructions:  Delete Infected files

General Comments:
	 The Tremor virus was received in March, 1993, and is from Germany.
	 Tremor is a memory resident infector of COMMAND.COM and .EXE files.
	 It is an "anti anti-virus virus", containing some checks to avoid
	 detection by anti-viral software.

	 When the first Tremor infected program is executed, the Tremor virus
	 will install itself memory resident at the top of system memory but
	 below the 640k DOS boundery, hooking interrupts 15 and 21.  If, 
	 however, upper memory or extended memory is available, the virus
	 will install most of it's code in that memory instead, with a hook
	 to it in memory below 640k.  Total system and available free memory,
	 as indicated by DOS CHKDSK program, will have decreased by 4,288
	 bytes.  Also at this time, the virus will infect the copy of 	 	 	 COMMAND.COM pointed to by the COMSPEC variable.

	 Once memory resident, the Tremor virus will infect .EXE programs
	 when they are executed, adding 4,000 bytes to the file's length.
	 The file length increase will be hidden when Tremor is resident.
	 The virus will be located at the end of the file.  The program's
	 date and time in the DOS disk directory listing will not appear to
	 be altered, but will actually have had 100 added to the years field
	 in the file date.  This is the infection marker for the virus.
	 Tremor is an encrypted virus, and no text strings are visible within
	 the viral code in the infected programs.

	 Systems infected with the Tremor virus will experience a sluggish 	 	 system response to commands and program execution.  File allocation
	 errors will be detected by the CHKDSK program when the virus is
	 memory resident, but not when Tremor is not in memory.  After Tremor 
	 has been Present on the system for over three months, a slight
	 shaking effect of the contents of the system display may occur
	 accompanied by a system hang.  The virus may also occassionally
	 clear the system display and display the following message on the
	 system monitor:

		    "-= T.R.E.M.O.R. was done by NEUROBASHER
				 / May-June '92, Germany <=-
		     -MOMENT-OF-TERROR-IS-THE-BEGINNING-OF-LIFE"

	 After a few seconds, the system will then return to "normal".
	 The Tremor virus is a full stealth virus, disinfecting programs as
	 they are read into memory.  As a result, anti-viral programs which
	 are executed to check file checksums/CRCs, or for the presence of
	 the virus in files without first verifying it isn't in memory, will
	 not find the virus in files.  It also checks for the presence of
	 some anti-viral monitoring programs in memory.  Additionally, Tremor
	 is polymorphic, and an algorithmic approach must be used for 
	 detection.