Dark Avenger Type B Virus - Amiga Virus Encyclopedia
VIRUS HELP TEAM
-------------------------
Amiga Virus Encyclopedia
Dark Avenger Type B Virus
-------------------------
==== Computer Virus Catalog 2.0: Dark Avenger (Type B) (14.12.1993) ====
Entry...............: Dark Avenger (Type B)
Alias(es)...........: Septic Schizo
Virus Strain........: Infiltrator, Dark Avenger substrain
detected when.:
where.:
Classification......: Linkvirus, Extending, not reset-resident
Length of Virus.....: 1.Length (1072) on storage medium
2.Length (2000) in RAM
--------------------- Preconditions -------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: OS > 1.3 (will probably crash under 1.3/1.2)
Computer model(s)...: All Amiga's without CPU-Cache
--------------------- Attributes ----------------------------------------
Easy identification.: -
Type of Infection...: Self-Identification method on disk:
Checking branch command at first codehunk of
infected File
Self-Identification method in memory:
Checking for a matchword ($A0A1A2A3) at hooked-
vector location -8
Executable File infection:
extending file by 1072 bytes
Memory-resident, hooking DOS-Open-Vector
Not reset-resident
Infection preconditions:
Disk valid
8 spare blocks free
Filesize <= 100000
Filesize >= 2000
Codehunk - Size <= 32752
Memory for infection available
HUNK_HEADER found
HUNK_CODE found
HUNK_RELOC32 found
101500 Bytes of Memory allocatable
JMP or JSR is not the first command
in the Codehunk
Original-Code is overwritten - but will be
restored and executed (virus restores the
original file, so that integrity-checks of the
executeable itself probably will fail)
Infection Trigger...: Opening executeable file
Storage Media affec.: All media
Systemcalls hooked..: DOS-VEC OPEN
Stealth.............:
Tunneling/Selfprot..:
Oligo/Polymorphism..:
Encoding Method.....:
Damage..............: Transient Damage:
None
Transient/Permanent damage:
Can't handle all DOS-Requests correctly
Crashes the System on some requests
May "Infect" data-files matching to te
infection preconditions
Some files won't run after infection.
Damage Trigger......: -
Particularities.....: No Memory available on virus startup ->
virus executes its code in not allocated area
may cause a crash after quitting the infected
program.
Virus "trys" to work with lower operating-System
versions - but the routine for that will probably
almost always crash.
Virus is encrypted with random Value from
raster-beam.
The programmer of this Virus has very poor
programming abilities, his System very surely
runs under OS2.04. This called "B" - Type is
the first clone of this Programmer, the "A"-type
is surely the second one.
The virus contains the String:
'Reminders of past , fear of the future: SEPT'
'IC SCHIZO.' (not displayed)
Similarities........: Most parts are similar to the Infiltrator-Virus
--------------------- Agents --------------------------------------------
Countermeasures.....: All
Standard means......: VT2.58
--------------------- Acknowledgements ----------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Soenke Freitag
Documentation by....: Soenke Freitag
Date................: 14.12.1993
Information Source..: Reverse-analysis of Virus-Code, Heiner-Schneegold
===================== End of Dark Avenger (Type B) ======================
Antivirus removal...: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
