Contents | < Browse | Browse >
THIS IS A BETA ANALYSIS, WHICH BE CHANGE UNTIL THE FINAL RELEASE OF THE
NEXT VIRUSWORKSHOP VERSION !
KNOWN INSTALLERS OF THE LINKVIRUS ARE: SRN-DB33.LHA AND TCR-RESC.DMS !
Entry...............: Strange Atmosphere
Alias(es)...........: SA Virus (as called in VW)
Virus Strain........: -
Virus detected when.: 2/1996
where.: Germany
Classification......: Link virus, memory-resident
Length of Virus.....: 1. Length on storage medium: 1232 Bytes
2. Length in RAM: $2710 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)
Caches may cause problems during the decoding
process
--------------------- Attributes ---------------------------------------
Easy Identification.: None
Type of infection...: Linkvirus
Self-identification method in files:
- Searches for $1080402 at the end of the first
codehunk
Self-identification method in memory:
- Checks for $3d385e29 at position -6 of the
LoadSeg() adress
System infection:
- RAM resident, infects the LoadSeg() DOS function
- DoIO() exec function and Coolcapture will be
infected only under special conditions
Infection preconditions:
- File to be infected is bigger then $a28 bytes
- The file is not already infected
- HUNK_HEADER and HUNK_CODE are found
- HUNK_HEADER structure is valid
- There must be 4 free blocks on the disc
- File is shorter than 290000 bytes
- The lenght of the first hunk must be exactly the
same as written in the hunkheader structure
Infection Trigger...: Accessing the file
Storage media affected: all DOS-devices
Interrupts hooked...: None
Damage..............: Permanent damage:
- Files will be trashed (depends on the Rasterbeam)
Devices will be overwritten (depends on the
Rasterbeam)
Transient damage:
-System gets locked while reset and a new copperlist
will be shown.
Damage Trigger......: Permanent damage:
- Internal counter
Transient damage:
- Internal counter
Particularities.....: The crypt/decrypt routines are not aware of
processor caches. The installer code in several
files is working correct with higher processors.
The linkcode checks for correct length of the first
hunk to remove problems with extra ordinary packers.
Similarities........: Link-method in the executable files is the simple
"link behind the first hunk" method without any
special tricks.
Stealth.............: The viruses uses normal dos commands (no tunneling
via packets) and normal DOS call watchers like
SnoopDos can proof the infection behavior.
There are no stealth routines build in.
Armouring...........: The virus is only one armouring technique to protect
it`s code. It uses a normal crypt routine to hide
the viral structures. Heuristik checkers like the
one in VirusWorkshop can find the dangerous parts
and VW gives you the rating "Virus!".
Name................: In the crypted part there is the following string:
'-+* Strange Atmosphere [gOOd] *+-'
If the internal counter reaches 50, the word "gOOd"
will be replaced by "eVIL" and the destructive code
will be activated.
--------------------- Agents -------------------------------------------
Countermeasures.....: VW6.0ß (VT follows soon)
Countermeasures successful: All of the above
Standard means......: -
--------------------- Acknowledgement ----------------------------------
Location............: Hannover, Germany 04.03.1996.
Classification by...: Markus Schmall and Heiner Schneegold
Documentation by....: Markus Schmall
Date................: March 1996
Information Source..: Reverse engineering of original virus
Copyright...........: Markus Schmall
Special note........: Virus Test Center Hamburg and Virus Help Team DK
are strictly allowed to use this analyse in their
own productions. All other groups/institutions may
please contact me first.
===================== End of Strange Atmosphere Virus ===================