Polyzygotronifikator Link Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM



    --------------------------------
    Amiga Virus Encyclopedia
    Polyzygotronifikator Link  Virus
    --------------------------------


    Polyzygotronifikator LinkVirus:

    This is a classical linkvirus,  which was  send to me as a very
    clever virus with polymorph routine, which should be execellent
    coded.  To be clear:  In my opinion  this  virus is  quite well
    coded,  but  nothing special.  A work  of 4 hours to  write the
    complete repairroutines and testing...

    Works with  Kickstart 2.0 and  higher based on the intern patch
    routines for the LoadSeg  vector from DOS. No other vectors are
    changed.

    At the start of the virus, it will be searched for the SnoopDos
    task in memory. If it exists, the virus won`t start.

    The virus adds no hunk to the infected file,  but increases the
    first codehunk.  A specialit y is,  that  the virus  contains a
    little workaround for problems which appeared  to other viruses
    with  packed  files  (like Infiltrator),  which  are  not 100 %
    AMIGA (no need to mention C= here) conform (Imploder Library).

    The virus itself is 1196 bytes big and the cryptroutine,  which
    is polymorph,  is 44 bytes long. The cryptroutine is polymorph,
    but only in that  way,  that it put between the single commands
    some garbage, some registers will be used different and nothing
    else. No complicated stuff like in the Crime`92 virus.

    The virus searchs for the "move.l 4,a6" command and replaces it
    with an ordinary jump to its own code. The virus recognizes, if
    it has  already  infected an  file or not. This selftestroutine
    tests only  for one  single word and is not that secure. Virus-
    Workshop now uses 4 longwords to detect the virus in files.

    The virus  identifies  itself with the  word 1994 in memory and
    on disk. In  memory  it searches  for "1994"  and  on files  it
    looks for $1994 (a word). As result, this  virus links only one
    time on  a file and  nothing more.  The  virus does not link on
    other files, if the device contains less then $1f40 sectors.

    The virus  contains  no real destruction routine and expects as
    for hunk the codehunk.

    In the decrypted virus, you can read:

    "Don`t think about it! You`re simply infected with the
    Polyzygotronifikator... (Polymorph version)"

    This virus  comes probably  from Germany, because of the "k" in
    the name.  A english speaking coder would have written the name
    like "Polyzygotronificator" instead of "Polyzygotronifikator".
    This is just some way of combination, but I think this is quite
    interesting idea by Ingo Schmidt.

    VirusWorkshop is  able to remove a virus  and the repaired file
    should work 100%. Better try it with a copy,  just for security
    reasons.
 
                                        Detection tested 05.08.1994.

    Comment 11.12.1994:
    Another viruschecker/killer appeared, whichrecognizes this virus
    The repairroutine does not correct the length of the first hunk,
    it only reinserts the "move.l 4.w,a6" and nothing more.  VT 2.69
    and VW v4.5 still detect  Polygonifrikator in file,  cause it is
    still existing there. This is the same viruskiller, which is not
    able to  remove  and  detect  the  Crime`92  virus correct or in
    general (in a time of 14 months!!!!)
    Please judge for yourself but the german viruskiller programmers
    have  not  the  task  to recorrect the bugs made by other virus-
    killers !  Same problem appears at Commander linkvirus !  Please
    judge for yourself !

    Comment 27.02.1995:
    If  you  activated  Decrunch and  then checked a file, which was
    first packed  and then  infected  with this virus, it could give
    Enforcerhits. Fixed now.


    Test by Markus Schmall..


    

Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk