Warning!
A new linkvirus is out. The first known infected file is
lop_mi2.lha. The FILE_ID.DIZ looks like this:
.
____ .:: ______
/ |.:::::' | __ \_
\ _|:: ::.::::. ¬___/
.-- \____:: :::: :: \ --.
| `::::':: ::_____/ |
| LøøP `::::' |
| |
| MASTER ISO 1.22 100% CRC |
| THIS IS THE IMPROVED |
| INTENSITY-VERSION ... |
`------------------------------'
The virus is linked on it normally. It doesn`t seems to be an installer,
probably the guys behind it didn`t know about this infection.
Emacs/TRSi got a call from Lenny Dee/Hf and gave me this archive. It
seems to be spreaded global. Since a Hf guy tried this archiv before
release 3 things for Hf Emacs checked for me this 3 releases and all
of them were virusfree.
! Special thanks at this time to Lenny Dee/HF for the fast warning !
Ok, here the analyse of the little bastard:
Entry...............: BBS Traveller Virus
Alias(es)...........: Ebola-II
Virus Strain........: -
Virus detected when.: 17.04.1996
where.: Germany
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: 1536 Bytes
2. Length in RAM: 12000 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)
--------------------- Attributes ---------------------------------------
Easy Identification.: none
Type of infection...: Self-identification method in files:
- Searches for $ab1590ef at the end of the first Hunk.
(this longword comes from the EBOLA-I virus)
- Searches for $24121996 at the end of the first hunk
(selfrecognition)
- Searches for $1080402 at the end of the first hunk
(this is the recognition of the Strange Atmosphere
linkvirus)
Self-identification method in memory:
Searches for $3D385E29 at offset -6 from the Dos
LoadSeg()
function.
If $1020304 will be found at this position, the
destruction
counter will be manipulated (somekind of test for the
programmer of this virus ?)
System infection:
- non RAM resident, infects the following functions:
Dos LoadSeg(), Dos ReadARGS(), Exec Findname(),
Exec Findtask, Exec SetFunktion() and Exec Addport()
Infection preconditions:
- File to be infected is bigger then 2600 bytes and
smaller then 290000 bytes
- Device must have more than 6000 sectors
- First hunk contains a $4eaexxxx command in the 16
bit range to the end of the file (test for the first
entry)
- the file is not already infected (the at long of the
end of the hunk)
- HUNK_HEADER and HUNK_CODE are found
Infection Trigger...: Accessing files via LoadSeg()
Files starting with "v","V","." or "-" will be NOT
infected.
Storage media affected:
all DOS-devices
Interrupts hooked...: None
Damage..............: Permanent damage:
- Formatting the drive
Transient damage:
- none
Damage Trigger......: Permanent damage:
- Formatting the drive, when an internal counter reaches
5000.
Transient damage:
- None
Particularities.....: The crypt/decrypt routines are partly aware of processor
caches. The cryptroutine are non polymorphic and only
consists of some logical stuff. The virus uses some
simple retro technics to stop viruskillers searching
for itself.
Similarities........: Link-method is comparable to the method invented with
the infiltrator-virus. Damage routine is taken from the
Strange Atmosphere linkvirus. The virus is a typical
mixture from the EBOLA and the Strange Atmosphere
linkviruses. We think that all 3 ones come from the
same programmer, probably in the east or north of
Germany.
Stealth.............: If the viruskiller VT up to version 2.82 will be started,
the virus removes itself completly from memory. If one of
the following programms will be found in memory, no link
try will be started:
SetFunktionManager
VirusChecker
VirusZ_II
SnoopDos
SnoopDos 3
VW-Save!
Armouring...........: The virus uses only a single armouring technique to
confuse people. It only crypts it`s code based on the
position of the rasterbeam.
Comments............: The name EBOLA is the name of a virus, which humans
can get infected with. CARO rules say, that no names
of persons etc. may be used to call a virus, but I
spoke to other persons and they already recognized
this virus in this way. The virus contains the string
"BBS Traveller", but this is just a clone from the
EBOLA linkvirus with some enhancements.
--------------------- Agents -------------------------------------------
Countermeasures.....: VW6.1 beta
above Standard means......: -
--------------------- Acknowledgement ----------------------------------
Location............: Hannover, Germany 19.04.1996.
Classification by...: Markus Schmall and Heiner Schneegold
Documentation by....: Markus Schmall (C)
Date................: April,19. 1996
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
in any SHI publication
===================== End of BBS Traveller Virus =========================
Greets
Markus Schmall
