CCCP Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM



------------------------
Amiga Virus Encyclopedia    
CCCP Virus
------------------------


========= Computer Virus Catalog 1.2: CCCP VIRUS (31-July-1993) ========
Entry...............: CCCP Virus
Alias(es)...........: Anal Rapes
Virus Strain........: ---
Virus detected when.: ---
              where.: ---
Classification......: Bootblock and Link Virus: Overwriting Bootblock,
                         Extending Files, Resident
Length of Virus.....: 1.Length: 1024 bytes Bootblock,
                                1044 bytes File extension.
                      2.Length: 1192 bytes in Chip-RAM
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: >= Version 1.3
Computer model(s)...: All Amigas with $68000 CPU / Vectortable at $0
--------------------- Attributes ---------------------------------------
Easy Identification.: Text "CCCP VIRUS" in infected bootblocks and files
Type of infection...: Self-Identification methods:
                         Disk/File: searches for special Hunklength ($FD)
                                    in first Codehunk
                         Disk/Boot: none
                         Ram: Searches for $611c(bsr.s) at VEC3 location
                         Executable File infection: extending file
                            by 1044 bytes; infection occurs if:
                              - file is readable/writable
                              - file header block contains all blocks
                                of the file (no extension block)
                              - won't infect files in directorys with
                                1st letter "l","d","f" (eg.:l,devs,fonts)
                         System infection: RAM-Resident, Reset-Resident,
                              Bootblock infection
                         Libraries/Vectors patched and action:
                              Coolcap    (Exec)  - be resetproof
                              DoIo       (Exec)  - infect preconditions,
                                                   boot infection
                              NewOpenLib (Exec)  - patch openwindow
                              Openwindow (Int.)  - start infection
Infection Trigger...: File:   Opening a Intuition Window
                      Bootblock:Any Disk-Access (DoIo on Block 0)
Storage media affected: Diskettes
Interrupts hooked...: IRQ_VEC3 ($6c) to stay in memory (against actions
                         of some antivirus-programs
Damage..............: Permanent Damage: overwriting bootblock,
                      Transient Damage: none
                      Transient/Permanent damage: virus overwrites with-
                         out allocating memory at $$6fbec-$71000, so
                         programs stored at this location my crash. Virus
                         also may have problems with some hunk-types.
Damage Trigger......: Inserting Diskette / DoIo call
Particularities.....: Very compact code (1024 Byte) with complete
                      (recursive) file and bootblock infection routine
Similarities........: ---
--------------------- Agents -------------------------------------------
Countermeasures.....: VT2.54, SnoopDos 1.7, AVM(internal)
Countermeasures successful: VT2.54,Snoopdos,AVM
Standard means......: VT2.54
--------------------- Acknowledgement ----------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Soenke Freitag
Documentation by....: Soenke Freitag
Date................: 31-July-1993
Information Source..: Heiner Schneegold, SHI, reverse analysis
===================== End of CCCP Virus=================================

Antivirus removal...: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
                      Kickstart all others: VirusZ III with Xvs.library installed
 

Ascii of CCCP virus:





Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk