It is not a dangerous memory resident parasitic polymorphic virus. It has a large size (about than 11Kb of assembler code) and is encrypted with twelve encryption loops. The virus writes itself to the end of DOS COM and EXE files except COMMAND.COM
To install its TSR copy the virus patches the memory control blocks, patches them, and as a result reserves for its for its TSR copy a block of system memory that is out of DOS memory blocks. In case the virus is run from infected WIN.COM or KEYB.COM (that will stay in DOS memory till next reboot), the virus uses another way: it installs itself as a part of infected program and does not pay attention to DOS memory tables.
To complete the installation the virus hooks INT 9 (keyboard) INT 1Ch (timer), INT 21h (DOS functions) and then infects COM and EXE files that are accessed (executed, opened, closed, searched, e.t.c.). Before return control to host file the virus infects three disk files:
The virus uses several tricks to disable or bypass anti-virus scanners. While installing memory resident it scans the system memory for TBAV and SCAN anti-virus devices and disables their routines. The virus does not infect several anti-virus programs: VIRSTOP2, VIRSTOP, F-PROT, SCAN, TBAV, NAV. It also deletes the anti-virus data files: CHKLIST.MS, ANTI-VIR.DAT.
When the virus runs for the first time in the system, it creates the KEYB.SYS file in one of directories: C:WINDOWS, C:DOS or in the root directory of C: drive. The virus writes the text lines to there:
Do not modify this file!
where 'x' is an ASCII characters, it is variable and depends on the virus generation. These data in the KEYB.SYS file are followed by a counter which is increased each time infected programs start - the virus uses this file only to store this counter.
Depending on this counter the virus activates its trigger routines. Starting from 1000th execution it enables INT 9 and INT 1Ch handlers that randomly select and runs one of several routines that display messages, change strings on the screen, change keyboard buffer, e.t.c.
Starting from 800th execution the virus depending on the system random counter appends to the C:AUTOEXEC.BAT file instructions that display one of the messages:
Your keyboard has expired its evaluation period!
Please, register to Microsoft(c) Corporation.
Found hardware error on video card (code 23001):
Please, move your monitor and reboot the PC.
Found error: ah ah ah ahall eh eh eh eh.......
uh uh uh uh.... Dr.SCSI & Mr.IDE
Your Hard Disk is boring to live...
Youthanasia will start now... (formatting C:)
Found Boot error: replace the TORPINO Card
and reboot the system immediately !
This message is a property of F-PROT Antivirus:
Please, contact Fridrick for more info...
The virus checks some additional C:TORPASS.DAT file and seems to use it as a kind of self-protection. If first four bytes of data in this file contains the disk C: serial number, the virus disables several its trigger and infection subroutines. If the fifth byte is not zero, the virus beeps each time it infects a file.
The virus contains the text strings, some of them are used in its effects:
You are a Torpiner
C O N G R A T U L A T I O N S !
Your PC is my new house !
I'm not a destroyer...
I'm the incredible Virus...
--> T O R P I N O (c) <--
Turn on Sound Blaster Speakers !
We Thank Very Much The F-PROT Antivirus For The Contribution
To The Spread Of This Virus... Have A Good Time !
By The Virus TORPINO (C) Ver. 2.0, Copyright(C) 1997 By DR.SCSI And Mr. IDE.
Total Rows Code: 3474, Coded In ITALY, Around MATERA, In July-December 1997.
Direct Support: Our Heads; Dave Mustaine; Billy (A Programmer Dog!).
Indirect Support: The Great Dark Avenger; N.R.L.G Team; Peter Norton
(Smack !); Our WorkStation: Two 486; The Obscure Author Of Tentacle.