NeuroticDeath 5 Link Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM




    --------------------------
    Amiga Virus Encyclopedia
    NeuroticDeath 5 Link Virus
    --------------------------

    - NEurOTiCDEatH virus type 5 link virus
    
        Name NOT understandable, but adopted
           In the decoded link part you can read:
           8002ee58 32c04e75 00000002 00005b4d ... X2.Nu ...... [M
           74675f33 415d0000 1bdf0000 00096100 tg_3A] ........ a.
        Compared to Type 3, I don't have a Neuro .. text
        found
        File extension: larger # 6000 bytes and smaller # 8000 bytes
            (so it was with my tests)
        Not reset-proof
        Processor better than 68000
        Not all kickstart versions
        Bent vectors: LoadSeg NewLoadSeg DoIo
        The virus part is to be activated from Dec. 28, 96.

      Memory anchoring:
           - Test whether already in memory e.g. debug Data
           - Test whether antivirus prg.e is active (e.g. Xtruder)
           - Loadseg NewLoadSeg and DoIo are bent
           - Tests later loaded file names for "v" or "V".
      
      Link operation:
           - With LoadSeg and NewLoadSeg
           - Medium validated
           - File executable ($ 3F3)
           - CodeHunk is found ($ 3E9)
           - Overflows $ 3F1-Hunks
           - File length larger # 32768
           - File smaller # 286720
           - Searching for bcc ($ 6v00wxyz) in the 1st Hunks,
             jsr xy ($ 4EBAwxyz) or jsr -xy (a6) ($ 4EAEwxyz)
           - This LW is replaced by bsr virus ($ 6100wxyz)
           - the part is always re-encoded with $ DFF007

      Report:
           - NO

      Destruction:
           - Write garbage with DoIo
           - Destroy Random Block based on $ DFF006
           - Random block always bigger # 63 ($ 7E00)
           - VT CANNOT recognize a block like this
           - This block cannot be saved
        VT tries to reset the vectors in memory.
        VT cannot repair all files.
        If there are errors in the file, send me
        such files please.


      Original test by Heiner Schneegold
      Translated from german to english by Google translate




Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk