Amiga Virus Encyclopedia
Polyzygotronifikator Link Virus
This is a classical linkvirus, which was send to me as
a very clever virus with polymorph routine, which should
be execellent coded. To be clear: In my opinion this virus
is quite well coded, but nothing special. A work of 4 hours
to write the complete repairroutines and testing...
Works with Kickstart 2.0 and higher based on the intern patch
routines for the LoadSeg vector from DOS. No other vectors are
At the start of the virus, it will be searched for the SnoopDos
task in memory. If it exists, the virus won`t start.
The virus adds no hunk to the infected file, but increases the
first codehunk. A speciality is, that the virus contains a
little workaround for problems which appeared to other viruses
with packed files (like Infiltrator), which are not 100 %
AMIGA (no need to mention C= here) conform (Imploder Library).
The virus itself is 1196 bytes big and the cryptroutine, which
is polymorph, is 44 bytes long. The cryptroutine is polymorph,
but only in that way, that it put between the single commands
some garbage, some registers will be used different and nothing
else. No complicated stuff like in the Crime`92 virus.
The virus searchs for the "move.l 4,a6" command and replaces
it with an ordinary jump to its own code. The virus recognizes,
if it has already infected an file or not. This selftestroutine
tests only for one single word and is not that secure. Virus-
Workshop now uses 4 longwords to detect the virus in files.
The virus identifies itself with the word 1994 in memory and
on disk. In memory it searches for "1994" and on files it
looks for $1994 (a word). As result, this virus links only one
time on a file and nothing more. The virus does not link on
other files, if the device contains less then $1f40 sectors.
The virus contains no real destruction routine and expects as
for hunk the codehunk.
In the decrypted virus, you can read:
"Don`t think about it! You`re simply infected with the
Polyzygotronifikator... (Polymorph version)"
This virus comes probably from Germany, because of the "k" in the
name. A english speaking coder would have written the name like
"Polyzygotronificator" instead of "Polyzygotronifikator". This is
just some way of combination, but I think this is quite
interesting idea by Ingo Schmidt.
VirusWorkshop is able to remove a virus and the repaired file should
work 100%. Better try it with a copy, just for security
Detection tested 05.08.1994.
Comment 11.12.1994: Another viruschecker/killer appeared, which
recognizes this virus. The repairroutine does not correct the
length of the first hunk, it only reinserts the "move.l 4.w,a6"
and nothing more. VT 2.69 and VW4.5 still detect Polygonifrikator
in file, cause it is still existing there. This is the same
viruskiller, which is not able to remove and detect the Crime`92
virus correct or in general (in a time of 14 months!!!!)
Please judge for yourself, but the german viruskiller programmers
have not the task to recorrect the bugs made by other virus-
killers ! Same problem appears at Commander linkvirus ! Please
judge for yourself !
Comment 27.02.1995: If you activated Decrunch and then checked
a file, which was first packed and then infected with this
virus, it could give Enforcerhits. Fixed now.
Test by Markus Schmall..