196 bytes linkvirus - Amiga Virus Encyclopedia

VIRUS HELP TEAM



------------------------
Amiga Virus Encyclopedia
196 bytes linkvirus
------------------------    

-----------------------------------------------------------------------
Entry...............: 196-bytes
Alias(es)...........: NoName (196 bytes)
Virus Strain........: xxxxxxxxShort
Virus detected when.: -
              where.: -
Classification......: Linkvirus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:         196 Bytes
                      2. Length in RAM:                      0 Bytes
                               (uses system stack to hide it's code)

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release..: V36+
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: none

Type of infection...: Self-identification method in files:

                      - first byte of first code hunk is $61.B

                      Self-identification method in memory:

                      - checks for "do".W at sysStackLower offset 0

                      System infection:
                      -  infects the following function: Dos Write()

                      Infection preconditions:

                      - Hunk Code is found
                      - File is not infected already
                      - file is smaller than $7c0*4

Infection Trigger...: Copying executable files

Storage media affected:
                      all dos devices (including RAM:)

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - none
                      Transient damage:
                      - generating of bad files is possible
Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - too simply infect code

Particularities.....: Smallest first hunk increaser for Amiga.

Similarities........: Code is equal to xxxxxxxxShort. First long of
                      first codehunk is replaced with jump to virus
                      code.
                      This is light version of NoName(212 bytes).

Stealth.............: -

Armouring...........: -

Comments............: The main goal of this virus is it's size.
                      There are some 'bugs' that may cause making
                      wrong files (lack of clever test routines).
                      The virus is not aware of processor caches.

--------------------- Acknowledgement ----------------------------------

Location............: Pawlowice, Poland  2002
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 2002
Information Source..: Analyze of virus and source code
Copyright...........: This documentation is public domain

===================== End of 196 bytes virus ============================

Antivirus removal...: VirusZ III with Xvs.library installed





Virus Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk