Amiga Virus Encyclopedia
    Polyzygotronifikator Link  Virus

    Polyzygotronifikator LinkVirus:

    This is a classical linkvirus, which was send to me as
    a very clever virus with polymorph routine, which should
    be execellent coded. To be clear: In my opinion this virus
    is quite well coded, but nothing special. A work of 4 hours
    to write the complete repairroutines and testing...

    Works with Kickstart 2.0 and higher based on the intern patch
    routines for the LoadSeg vector from DOS. No other vectors are

    At the start of the virus, it will be searched for the SnoopDos
    task in memory. If it exists, the virus won`t start.

    The virus adds no hunk to the infected file, but increases the
    first codehunk. A speciality is, that the virus contains a
    little workaround for problems which appeared to other viruses
    with packed files (like Infiltrator), which are not 100 %
    AMIGA (no need to mention C= here) conform (Imploder Library).

    The virus itself is 1196 bytes big and the cryptroutine, which
    is polymorph, is 44 bytes long. The cryptroutine is polymorph,
    but only in that way, that it put between the single commands
    some garbage, some registers will be used different and nothing
    else. No complicated stuff like in the Crime`92 virus.

    The virus searchs for the "move.l 4,a6" command and replaces
    it with an ordinary jump to its own code. The virus recognizes,
    if it has already infected an file or not. This selftestroutine
    tests only for one single word and is not that secure. Virus-
    Workshop now uses 4 longwords to detect the virus in files.

    The virus identifies itself with the word 1994 in memory and
    on disk. In memory it searches for "1994" and on files it
    looks for $1994 (a word). As result, this virus links only one
    time on a file and nothing more. The virus does not link on
    other files, if the device contains less then $1f40 sectors.

    The virus contains no real destruction routine and expects as
    for hunk the codehunk.

    In the decrypted virus, you can read:

    "Don`t think about it! You`re simply infected with the
    Polyzygotronifikator... (Polymorph version)"

    This virus comes probably from Germany, because of the "k" in the
    name. A english speaking coder would have written the name like
    "Polyzygotronificator" instead of "Polyzygotronifikator". This is
    just  some  way  of  combination, but  I  think  this  is  quite
    interesting idea by Ingo Schmidt.

    VirusWorkshop is able to remove a virus and the repaired file should
    work 100%. Better try it with a copy, just for security

                                        Detection tested 05.08.1994.

    Comment 11.12.1994: Another viruschecker/killer appeared, which
    recognizes this virus. The repairroutine does not correct the
    length of the first hunk, it only reinserts the "move.l 4.w,a6"
    and nothing more. VT 2.69 and VW4.5 still detect Polygonifrikator
    in file, cause it is still existing there. This is the same
    viruskiller, which is not able to remove and detect the Crime`92
    virus correct or in general (in a time of 14 months!!!!)
    Please judge for yourself, but the german viruskiller programmers
    have not the task to recorrect the bugs made by other virus-
    killers ! Same problem appears at Commander linkvirus ! Please
    judge for yourself !

    Comment 27.02.1995: If you activated Decrunch and then checked
    a file, which was first packed and then infected with this
    virus, it could give Enforcerhits. Fixed now.

    Test by Markus Schmall..


Virum Help Team
Denmark & Canada
Copyright © All rights reserved