Metamorphosis Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM



------------------------
Amiga Virus Encyclopedia
Metamorphosis Virus
------------------------
    
            
======== Computer Virus Catalog 2.0: Metamorphosis  (14.12.1993) ========
Entry...............: Metamorphosis
Alias(es)...........: Next Generation from Lamer-Exterminator
Virus Strain........: IRQ, Lamer
      detected when.:
              where.:
Classification......: System Virus (BootBlock) and Linkvirus (Extending)
Length of Virus.....: 1.Length (1024(Boot),1060(Link)) on storage medium
                      2.Length (1060) in RAM

--------------------- Preconditions -------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: OS 1.2, 1.3, 2.04, 3.0
Computer model(s)...: All Amiga's
--------------------- Attributes ----------------------------------------
Easy identification.: Text in files (readable with HexDump-facilities):
                      'METAMORPHOSIS V1.0- the next Generation from'
                      ' LAMER-EXTERMINATOR ! ',10

Type of Infection...: Self-Identification methods on Disk/Link:
                      Checks for the MET.. string in files
                      Self-Identification methods on Disk/Boot:
                      None (overwrites any bootblock)
                      Self-Identification methods in Memory:
                      Checks for hooked OldOpenLib to point at
                      $7xxxx (absolute memory)
                      Executable File infection:
                      Appending codehunk to executeables in c: dir
                      Overwriting Bootblock
                      Ram-Resident
                      Reset-Resident (COOLCAPTURE/COLDCAPTURE)
                      Infection-preconditions/Link:
                      OldOpenLibrary-call
                      More than 2 Files in C: Directory
                      File smaller than 40000 Bytes
                      Disk not write-protected
                      Infection-preconditions/Boot:
                      Read-access on block 0 (DoIo)
                      Disk not write-protected

Infection Trigger...: Link: Opening "dos.library"
                      Boot: Reading Bootblock

Storage Media affec.: All Media

Systemcalls hooked..: COLDCAP, COOLCAP, DOIO, OLDOPENLIB

Stealth.............:
Tunneling/Selfprot..:
Oligo/Polymorphism..:
Encoding Method.....:
Damage..............: Permanent Damage:
                      Overwriting bootblock
                      Formatting floppys (headstep)
                      Transient Damage:
                      Flashing all disk lights after 13 infections
                      (some kind of warning for the author ???)
                      Transient/Permanent damage:
                      May overwrite block 0 (RDB) of the harddisk
                      due to no check for the device wich calles
                      the DoIo-function.
                      Due to not allocated memory areas the virus
                      may be overwritten by other programs or will
                      itself other programs, wich will probably
                      crash the System.
                      The virus will overwrite its own body
                      on link-infection if the File is larger
                      then 39840 and smaller then 40000 bytes due to
                      a calculation bug.

Damage Trigger......: counter, 13, 14 infections

Particularities.....: Virus copys itself to the absolute address of
                      $7fa80 link / $7fa72 boot
                      Infected files will be loaded at $75e40 absolute

Similarities........: Link-Infection-Routine is similar to the
                      IRQ-Virus, Damage similar to Lamer-Viruses

--------------------- Agents --------------------------------------------
Countermeasures.....: All
Standard means......: VT2.58

--------------------- Acknowledgements ----------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Soenke Freitag
Documentation by....: Soenke Freitag
Date................: 14.12.1993
Information Source..: Reverse-analysis of virus-code, Heiner Schneegold
========================= End of Metamorphosis ==========================


Ascii of Metamorphosis virus:

    


Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk