Phantom Link Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM



------------------------
Amiga Virus Encyclopedia
Phantom Link Virus
------------------------


------------------------------------------------------------------------
    
Entry...............: Phantom Linkvirus
Alias(es)...........: Super-Nova
Virus Strain........: -
Virus detected when.: 11/1995
              where.: Germany
Classification......: Link virus, memory-resident
Length of Virus.....: 1. Length on storage medium:  ca.688 Bytes
                      2. Length in RAM:                688 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS
Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: None

Type of infection...: Self-identification method in files: 
                      -  Searches for $83ef19acin the first Hunk at last
                         position (normal file infection)

                      Self-identification method in memory:
                      -  Checks for a longword in the LoadSeg routine
                         ($42a449fa)

                      System infection: 
                      -  RAM resident, infects the DOS Call LoadSeg()


                      Infection preconditions:
                       - File to be infected is bigger then 4000 bytes and smaller
                         than $2e630 bytes
                       - First hunk is a code hunk
                       - File is executable
                       - First hunk has no reloc linked behind
                       - First hunk ends not with $83ef19ac


Infection Trigger...: Accessing the volume via LoadSeg (patched)
                       
Storage media affected: all DOS-devices

Interrupts hooked...: none

Damage..............: Permanent damage: 
                      - None
                      Transient damage: 
                      - none
            
Damage Trigger......: Permanent damage:
                      - None
                      Transient damage: 
                      - None

Particularities.....: The crypt/decrypt routines are aware of processor 
                      caches.


Similarities........: Link-method in library structured file is like the one of
                      the Commander virus (without bsr changes!)

Stealth.............: The viruses uses normal dos commands (no tunneling
                      via packets) and normal DOS call watchers like SnoopDos
                      can proof the infection behavior. The virus uses no
                      stealth weapons. The only things is it`s size. 688 bytes
                      difference in files don`t wake up the user so fast.


Armouring...........: The virus uses only 2 weapons:
                      1. The virus uses a cryptroutine to hide it`s code.
                      2. The virusname is hidden in a block, which will be
                         normally never accessed. Just decrease the values
                         by 1 and you will see the text "let`s go again...
                         PHANTOM"

Comments............: This file was sent to the dansk SHI leader from a german
                      guy. It was send to him as a new viruskiller. This happened
                      months (years?) ago and now (11/95) the virus appeared again.

                      In reality this is just a modified old version of VMK with
                      an installer linked before. The installer is timebased.

                      (In the BX-News.Guide in the chapter Super-Nove you
                       can find some more information, how the virus reached SHI).


--------------------- Agents -------------------------------------------

Countermeasures.....: VW5.7, BootX 5.23B with Recog 2.25 (only the installer)  ?
Countermeasures successful: All of the above
Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Hannover, Germany 05.11.1995.
Classification by...: Markus Schmall
Documentation by....: Markus Schmall
Date................: October,05. 1995
Information Source..: Reverse engineering of original virus
Copyright...........: Markus Schmall, Virus Test Center Uni Hamburg has the
                      permission to use this analyse in their catalog. SHI
                      is not allowed to use this document in ANY way.
===================== End of Phantom Virus ============================




Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk