home *** CD-ROM | disk | FTP | other *** search
/ Amiga ISO Collection / AmigaUtilCD2.iso / Virus / vIRUSwARNINGS! / MGS!-D33.NFO < prev    next >
Encoding:
Text File  |  1996-07-28  |  6.5 KB  |  167 lines
  1. @BEGIN_FILE_ID.DIZ
  2.      ____________________________________   
  3. .---/   /   /   /  __   /   /   /   ____/--.
  4. |  /   /   /   /      _/   /   /____   /   |
  5. |  \______/___/___/___/_______/_______/    |
  6. |                                          |
  7. |         tHE fILE `MGS!-D33.LHA'          |
  8. |                                          |
  9. |      iS eBOLA lINKVIRUS iNFECTED!!       |
  10. `------------------------------------------'
  11. [bAD rELIGION]:::::::::::::::::[dREAM lAND!]
  12. @END_FILE_ID.DIZ
  13.  
  14.  
  15.  
  16.  
  17.  --------------------------------^ aDDS ^-----------------------------------
  18.  
  19.  
  20.                         aNOTHER d/L aNOTHER vIRUS!
  21.  
  22.  
  23.                           dA fILE `MGS!-D33.LHA'
  24.  
  25.                      iS iNFECTED bY EBOLA LINKVIRUS
  26.  
  27.                         ---------- -----------
  28.  
  29.  MGS!-D33.LHA D 28235  07-17-96   _       _                       _ _
  30.                                ___     _______________________ _ _________
  31.                               _\_/    / _  __  ______ _______/__  ___    /
  32.                               | _ \  /     /  __/__/   /_ _   /   ___   /
  33.                               |__\ \/ /___/_____________/____/____//___/
  34.                                   \  /                   .------------.
  35.                                    \/ SysDL 3.3      «-- ÷-  styLE!   ¡
  36.                                                By Splash `------------÷
  37.                                Now with remote mode that works like   |
  38.                                DOPUS!! THE BEST SYSDL DOOR EVER MADE! |
  39.                                -[17.07.96]------ ---- ---------·st!·--'
  40.  
  41.  
  42.   - --------------------------------------------------------------------- -
  43.  
  44.     Original  Packed Ratio    Date     Time    Name
  45.     -------- ------- ----- --------- --------  -------------
  46.        1084     485 55.2% 17-Jul-96 04:47:08  bbs/commands/bbscmd/DS.info
  47.       11674    3959 66.0% 01-Jun-95 16:34:50  bbs/doors/sysdl/RemoteMode.iff
  48.          25      25  0.0% 28-May-95 17:39:26  bbs/doors/sysdl/restrict
  49.       23780    4691 80.2% 01-Jun-95 16:31:42  bbs/doors/sysdl/StandardMode.iff
  50.    -> 29236   10349 64.6% 17-Jul-96 04:01:38  bbs/doors/sysdl/sysdl <-infect
  51.        1498    1067 28.7% 18-Jun-95 18:05:18  bbs/doors/sysdl/sysdl.info
  52.       15280    5397 64.6% 17-Jul-96 04:43:30  bbs/doors/sysdl/SysDL33.Guide
  53.         540     299 44.6% 17-Jul-96 10:27:18  fILE_iD.dIZ
  54.    -------- ------- ----- --------- --------
  55.       87401   27612 68.4% 17-Jul-96 10:27:22   8 files
  56.                        ---------- -----------
  57.  
  58.  fOUND wITH dA gREAT vIRUS wORKSHOP 6.2 bY fLAKE/tRSI    18-Jul-96  02:12:23
  59.  
  60.                        ---------- -----------
  61. Entry...............: Ebola Virus
  62. Alias(es)...........: E1116 (to stay CAROconform)
  63. Virus Strain........: -
  64. Virus detected when.: 9/1995
  65.               where.: Germany
  66. Classification......: Linkvirus,memory-resident, not reset-resident
  67. Length of Virus.....: 1. Length on storage medium: 1116 Bytes
  68.     2. Length in RAM: 3300 Bytes
  69.  
  70. --------------------- Preconditions ------------------------------------
  71.  
  72. Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+)
  73. Computer model(s)...: all models/processors (MC68000-MC68060)
  74.  
  75. --------------------- Attributes ---------------------------------------
  76.  
  77. Easy Identification.: none
  78. Type of infection...: Self-identification method in files:
  79.                    -  Searches for $ab1590ef at the end of the first Hunk.
  80.  
  81.                       Self-identification method in memory:
  82.                    -  Checks for $213f at offset -2 of the loadseg()
  83.                       function
  84.  
  85.                      System infection:
  86.                   -  non RAM resident, infects the following functions:
  87.                      Dos LoadSeg(), Exec FindTask() and Exec OpenResource()
  88.  
  89.                      Infection preconditions:
  90.                    - File to be infected is bigger then 2500 bytes and
  91.                      smaller then 130000 bytes
  92.                    - First hunk contains a $4eaexxxx command in the 16
  93.                      bit range to the end of the file (test for the first
  94.                      entry)
  95.                      - the file is not already infected (the at long of the
  96.                      end of the hunk)
  97.                      - HUNK_HEADER and HUNK_CODE are found
  98.  
  99. Infection Trigger...: Accessing files via LoadSeg()
  100. Storage media affected: all DOS-devices
  101.  
  102. Interrupts hooked...: None
  103.  
  104. Damage..............: Permanent damage:
  105.                       - None
  106.                       Transient damage:
  107.                       - none
  108. Damage Trigger......: Permanent damage:
  109.                       - None
  110.                       Transient damage:
  111.                       - None
  112.  
  113. Particularities.....: The crypt/decrypt routines are partly aware of
  114. processor
  115.  
  116. caches. The cryptroutine are non polymorphic and only
  117. consists of some logical stuff. The virus uses some
  118. simple retro technics to stop viruskillers searching
  119. for Draco and possible for the HochOfen (Trabbi) Virus.
  120.  
  121.  
  122. Similarities........: Link-method is comparable to the method invented with
  123.                       the infiltrator-virus
  124.  
  125. Stealth.............: No stealth abilities
  126.  
  127. Armouring...........: The virus uses only a single armouring technique to
  128.                       confuse people. It only crypts it`s code based on the
  129.                       position of the rasterbeam.
  130.  
  131. Comments............: The name EBOLA is the name of a virus, which humans
  132.                       can get infected with. CARO rules say, that no names
  133.                       of persons etc. may be used to call a virus, but I
  134.                       spoke to other persons and they already recognized
  135.                       this virus in this way.
  136.  
  137. --------------------- Agents -------------------------------------------
  138.  
  139. Countermeasures.....: VW5.5 and VT 2.76 Countermeasures successful: All of
  140.                       the above Standard means......: -
  141.  
  142. --------------------- Acknowledgement ----------------------------------
  143.  
  144. Location............: Hannover, Germany 03.09.1995.
  145. Classification by...: Markus Schmall and Heiner Schneegold
  146. Documentation by....: Markus Schmall (C)
  147. Date................: September,03. 1995
  148. Information Source..: Reverse engineering of original virus
  149. Copyright...........: This document is copyrighted and may be not used
  150.                       in any SHI publication
  151.  
  152.  
  153.  
  154.                          ---------- -----------
  155.  
  156.  
  157.  
  158.     aLL oK m8's ?!?!                SoULMASTER^SHALLoW/·)> dREAM lAND! <(·
  159.  
  160.  
  161.  --------------------------------v aDDS v-----------------------------------
  162.  
  163.  
  164.                       .--------------------------------.
  165.                -+*#*+-| sPREAD bY tECHNOKING!^cRAZY !! |-+*#*+-
  166.                       `--------------------------------'
  167.