VIRUS HELP TEAM



------------------------
Amiga Virus Encyclopedia
Invader Virus
------------------------
  

Entry...............: Invader
Alias(es)...........: Silesian Virus
Virus Strain........: -
Virus detected when.: 1/1996
              where.: Poland
Classification......: Link virus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:  1200+(0..72)    Bytes
                      2. Length in RAM:             $19000 or $d6b0 Bytes
                      (depends on the returncode of availmem() )

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS
Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)
                      The virus has problems with caches of all kind.

--------------------- Attributes ---------------------------------------

Easy Identification.: None

Type of infection...: Self-identification method in files: 
                      -  None

                      Self-identification method in memory:
                      -  Checks for a word in the Dos Open() function


                      System infection: 
                      -  RAM resident, infects the followind DOS
                         functions

                      - Open()
                      - Rename()
                      - Lock()
                      - LoadSeg()
                      - NewLoadSeg()
                      - SetComment()
                      - SetProtection()


                      Infection preconditions:

                      - File is executable

                      Please note, that there is no check for a CODE
                      hunk or such things. The virus loads the to be
                      infected file, but forgets to do a real length
                      check. It seems as the virus cuts file just as
                      it wants to.

                      Example:

                      (Memoryalloaction is $19000)

                      Infecttry of xyz (=$2a000 bytes)

                      The infected file will be $19000+$4b0+0..72
                      bytes long and not repairable anymore.


Infection Trigger...: Accessing the volume
                       
Storage media affected: all DOS-devices

Interrupts hooked...: No interrupts used

Damage..............: Permanent damage: 
                      - Damages files, adds bytes, copies blocks.
                      Transient damage: 
                      - The Virus writes a file with the name
                      "===README===" on the ramdisk. It contains
                      some text like "Get me you lamer..." etc.
            
Damage Trigger......: Permanent damage:
                      - Overwriting file contents in several places,
                      especially, when the files have more hunks.
                      Transient damage: 
                      - Infection-Counter 

Particularities.....: The memoryallocation operations are not cache-
                      proof and should make a lot of problems. The code
                      isn`t that professional written, the patch-
                      routines are very simply made. One important
                      counter is behind the first hunk, which isn`t
                      that clever. The data behind the first hunk can
                      be damaged in a serious way.

Similarities........: Link-method is like the one of infiltrator-virus.
                      Some ideas behind (search for DH0 and then try to
                      infect dh0:c/loadwb first) look like stolen from
                      the Commander linkvirus.

                      The change of the last command in the to be
                      infected hunk is a little bit buggy. Under
                      circumstances the last word in the hunk will
                      be changed, even if there is another important
                      information in it. The "RTS" locater doesn`t
                      look only for the last "RTS", it really looks for
                      all "RTS" in the STEP range.

Stealth.............: No stealth abilities at all. All can be seen on
                      the SnoopDos screen.

Armouring...........: No special armouring found in this virus.It just
                      uses somekind of encryption(depending on $dff006)
                      for it`s code, which is static.

--------------------- Agents -------------------------------------------

Countermeasures.....: VW 5.9, VT 2.80 (?)
Countermeasures successful: All of the above
Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: (C) Hannover, Germany
Classification by...: Markus Schmall and Heiner Schneegold
Documentation by....: Markus Schmall
Date................: January, 16.01.1996.
Information Source..: Reverse engineering of original virus
Copyright...........: This document isn`t allowed to be used in any
                      form without my permission. It`s hereby allowed
                      for VTC Hamburg and Virus Help Team DK to use it.

===================== End of Invader Virus ============================




Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk