home *** CD-ROM | disk | FTP | other *** search
- Warning ! A new linkvirus is out. The first known infected file is
-
- lop_mi2.lha. The FILE_ID.DIZ looks like this:
-
- .
- ____ .:: ______
- / |.:::::' | __ \_
- \ _|:: ::.::::. ¬___/
- .-- \____:: :::: :: \ --.
- | `::::':: ::_____/ |
- | LøøP `::::' |
- | |
- | MASTER ISO 1.22 100% CRC |
- | THIS IS THE IMPROVED |
- | INTENSITY-VERSION ... |
- `------------------------------'
-
-
- The virus is linked on it normally. It doesn`t seems to be an installer,
- probably the guys behind it didn`t know about this infection.
-
- Emacs/TRSi got a call from Lenny Dee/Hf and gave me this archive. It
- seems to be spreaded global. Since a Hf guy tried this archiv before
- release 3 things for Hf Emacs checked for me this 3 releases and all
- of them were virusfree.
-
- ! Special thanks at this time to Lenny Dee/HF for the fast warning !
-
- Ok, here the analyse of the little bastard:
-
-
-
- Entry...............: BBS Traveller Virus
- Alias(es)...........: Ebola-II
- Virus Strain........: -
- Virus detected when.: 17.04.1996
- where.: Germany
- Classification......: Linkvirus,memory-resident, not reset-resident
- Length of Virus.....: 1. Length on storage medium: 1536 Bytes
- 2. Length in RAM: 12000 Bytes
-
- --------------------- Preconditions ------------------------------------
-
- Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+)
- Computer model(s)...: all models/processors (MC68000-MC68060)
-
- --------------------- Attributes ---------------------------------------
-
- Easy Identification.: none
-
- Type of infection...: Self-identification method in files:
-
- - Searches for $ab1590ef at the end of the first Hunk.
- (this longword comes from the EBOLA-I virus)
-
- - Searches for $24121996 at the end of the first hunk
- (selfrecognition)
-
- - Searches for $1080402 at the end of the first hunk
- (this is the recognition of the Strange Atmosphere
- linkvirus)
-
- Self-identification method in memory:
-
- Searches for $3D385E29 at offset -6 from the Dos LoadSeg()
- function.
- If $1020304 will be found at this position, the destruction
- counter will be manipulated (somekind of test for the
- programmer of this virus ?)
-
- System infection:
- - non RAM resident, infects the following functions:
- Dos LoadSeg(), Dos ReadARGS(), Exec Findname(),
- Exec Findtask, Exec SetFunktion() and Exec Addport()
-
-
- Infection preconditions:
- - File to be infected is bigger then 2600 bytes and
- smaller then 290000 bytes
- - Device must have more than 6000 sectors
- - First hunk contains a $4eaexxxx command in the 16
- bit range to the end of the file (test for the first
- entry)
- - the file is not already infected (the at long of the
- end of the hunk)
- - HUNK_HEADER and HUNK_CODE are found
-
-
-
- Infection Trigger...: Accessing files via LoadSeg()
- Files starting with "v","V","." or "-" will be NOT
- infected.
-
- Storage media affected:
- all DOS-devices
-
- Interrupts hooked...: None
-
-
- Damage..............: Permanent damage:
- - Formatting the drive
- Transient damage:
- - none
- Damage Trigger......: Permanent damage:
- - Formatting the drive, when an internal counter reaches
- 5000.
- Transient damage:
- - None
-
- Particularities.....: The crypt/decrypt routines are partly aware of processor
- caches. The cryptroutine are non polymorphic and only
- consists of some logical stuff. The virus uses some
- simple retro technics to stop viruskillers searching
- for itself.
-
- Similarities........: Link-method is comparable to the method invented with
- the infiltrator-virus. Damage routine is taken from the
- Strange Atmosphere linkvirus. The virus is a typical
- mixture from the EBOLA and the Strange Atmosphere
- linkviruses. We think that all 3 ones come from the
- same programmer, probably in the east or north of
- Germany.
-
- Stealth.............: If the viruskiller VT up to version 2.82 will be started,
- the virus removes itself completly from memory. If one of
- the following programms will be found in memory, no link
- try will be started:
-
- SetFunktionManager
- VirusChecker
- VirusZ_II
- SnoopDos
- SnoopDos 3
- VW-Save!
-
- Armouring...........: The virus uses only a single armouring technique to
- confuse people. It only crypts it`s code based on the
- position of the rasterbeam.
-
- Comments............: The name EBOLA is the name of a virus, which humans
- can get infected with. CARO rules say, that no names
- of persons etc. may be used to call a virus, but I
- spoke to other persons and they already recognized
- this virus in this way. The virus contains the string
- "BBS Traveller", but this is just a clone from the
- EBOLA linkvirus with some enhancements.
-
-
- --------------------- Agents -------------------------------------------
-
- Countermeasures.....: VW6.1 beta
- above Standard means......: -
-
- --------------------- Acknowledgement ----------------------------------
-
- Location............: Hannover, Germany 19.04.1996.
- Classification by...: Markus Schmall and Heiner Schneegold
- Documentation by....: Markus Schmall (C)
- Date................: April,19. 1996
- Information Source..: Reverse engineering of original virus
- Copyright...........: This document is copyrighted and may be not used
- in any SHI publication
-
- ===================== End of BBS Traveller Virus =========================
-
-
-
-
- Greets
-
- Flake/Tristar & Red Sector inc.
-
-
-
-
-
- Special personal hellos from Flake go out to: Screamer, ECS, Mario,
- Apollo, Ferox, Hitpoint, Rascal, Steeler, Lenny Dee, Mok, Samir,
- ENZO, Ixxy and my friends in Virus Help Team Denmark...
-
-
-
-
- wE wOULD liKE tO gREET oUR fRiENDS iN
-
- * SUNFLEX iNC * PRESTiGE * PARADOX * HOODLUM *
-
- * DELiRiUM * FAiRLiGHT * QTX & CLS * ANTHROX * PRODiGY * HELLFiRE *
-
-
-
-
-
- _______________ _______________________
- \___ ¬\___ ¬\ ¬\/¯ __¬\___ ¬\ __¬\___ ¬\
- / / _/ _/ /___¯¯\/\ / / /_/ / _/ _/\
- / / ¯ / /\__/ /\// / ¯ / ¯ /\/
- /__/__/__/__/______/ //__/__/__/__/__/ /
- \\_\\_\\_\\_\\_____\/ \\_\\_\\_\\_\\_\/
- __________________ ___________ _______________________
- \___ ¬\ _¬\___ ¬\·NL/¯ __¬\ _¬\/¯ ¬\___ ¬\ _ ¬\___ ¬\
- / _/ _/ /_\/ / /\ /___¯¯\/ /_\/ /___/\ / / / / _/ _/\
- / ¯ / ___/ / / //\__/ / ___/ / /\// / / / ¯ /\/
- /__/__/_____/_____/ //______/_____/______/ //__/_____/__/__/ /
- \\_\\_\\____\\____\/ \\_____\\____\\_____\/ \\_\\____\\_\\_\/
-
- =+\=================/\====================/\======/\===================+=
- .::\_.:::::::::/\.:/.:\::::::::::::::/\.:/.:\/\.:/.:\:::::::::::::::::::.
- .::::\::::/\::/.:\/::::\::::::::/\::/.:\/::::::\/::::\·:::::___.___.__.._
- .:::::\::/.:\/.:::::::::\::/\::/.:\/::::::::::::::::::\/\·:/.:::::::::::·
- =+=====\/================\/==\/==========================\/============+=
-
-
-
- @BEGIN_FILE_ID.DIZ_________________ ____________
- \ . ___.___._¬\/ ____/_____) TRiSTAR &
- \/| .| | ¬| _/_____¬\| ¬|
- | || | : ¬\ ¬V \\ || RSi
- |___| |___|___\______/_____|
- ·+*#*+·^·TRN!·|____\·+*#*V·^·+*#*+·PRESENT!·
- -------------------------------------------
- Warning ! New linkvirus ! Read it !
- -------------------------------------------@END_FILE_ID.DIZ
-