Contents | < Browse | Browse >
This archive is infected with the Happy New Year 96' linkvirus, please
read the analysis that Markus has done.....
Entry...............: H.N.Y.96. I+II
Alias(es)...........: Happy_New_Year_96
Virus Strain........: -
Virus detected when.: 11/1995
where.: Austria, Germany, Holland, Poland and USA
Classification......: Link virus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: 540 Bytes
2. Length in RAM: 540 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)
--------------------- Attributes ---------------------------------------
Easy Identification.: Text at the end of the first hunk: "Happy_New_Year_96"
Type of infection...: Self-identification method in files:
- Searches for $65772059 in the first Hunk.
Self-identification method in memory:
- Checks for $2f08 in the LoadSeg function
System infection:
- RAM resident, infects the LoadSeg() code of
DOS library
Infection preconditions:
- device has more than 4 free sectors
- file is longer than $960 bytes and shorter than
$1e460 bytes
- Hunk_Code is found in the area behind the HUNK_
header (NO CHECK FOR RUNAWAYS!!!)
- The filename contains this not a "-" and does
not contains ".l". This is probably to be secure
no to infect a library.
- $4e75 is found at the end of the first CODEHUNK
or $4e75 is in the last $3f words of this hunk.
Infection Trigger...: Accessing the volume
Storage media affected: all DOS-devices
Interrupts hooked...: LoadSeg() of DOS will be used for the infection code.
The routine is a little bit buggy and trashes the
a1 register.
Damage..............: Permanent damage:
- None
Transient damage:
- None
Damage Trigger......: Permanent damage:
- None
Transient damage:
- None
Particularities.....: This virus uses no encryption routines to hide it`s
code. The LoadSeg() patch isn`t 100% clear and
trashes the adress register A1.
Similarities........: Link-method is comparable to the Crime
series. End of the first hunk will be the loc.
for the virus and the last "RTS" will be replaced.
Stealth.............: no stealth abilities found
Armouring...........: The virus uses only some special adresscommands to
confuse the AV people.
Installers..........: DemoManiac 2.19 fake (dop-dm1.dms)
DeTag0.63 (detag063.lha)
--------------------- Agents -------------------------------------------
Countermeasures.....: VT 2.79, VW 5.8
Countermeasures successful: all of the above
Standard means......: -
--------------------- Acknowledgement ----------------------------------
Location............: (C) Markus Schmall, Hannover, Germany
Classification by...: Markus Schmall
Documentation by....: Markus Schmall
Date................: November,24. 1995
Information Source..: Reverse engineering of original virus
Copyright...........: Markus Schmall, the VTC Uni Hamburg is allowed to
use this document in their libraries. SHI is
forbidden to use this document in any form.
===================== End of H.N.Y.96. Virus ============================