- PolPow-antonio-Vir.    Linkvirus

      Reason for the name:
       The coding routine (except for the unusual instruction) and the
       link routine were 'borrowed'.

      The link part of the file reads:
                    646f732e 6c696272 61727900     dos.library.
           74696d65 722e6465 76696365 006d6169 timer.device.mai
           6c2e686f 746d6169 6c2e636f 6d004652 l.hotmail.com.FR
           4f4d3a3c 6d654079 61686f6f 2e636f6d OM:.To:.
           0d0a2e0d 0a006273 64736f63 6b65742e ......bsdsocket.
           6c696272 61727900 6d69616d 692e6c69 library.miami.li
           62726172 79006d69 3000              brary.mi0.

       timer.device is never called at this point.
       Also note that sections are easily taken over.
      File lengthened by: 5900-7858 Bytes
            Because of a small inconsistency, the a file may be linked
            twice!
      Does not survive resets.
      At least KS ~36
      Vectors changed: None
      Method of staying in memory:
       NO code available (different to PolishPower)
      Two negative jobs are executed:

      1st job:
       bsd.lib and miami.lib are looked up and branch instructions
       (no lib description available) for the hotmail accounts
       (see above) are processed.

      2nd job:
       The task list is searched for processes.
       The appropriate files are contaminated and the task list
       modified to indicate the processes.  The files cannot always
       be found (e.g. WB processes)

      Link process:
      - A file with only one hunk is made.  At the start is the
        decoding routine: this modifies the length - a different
        coding instruction is always used.  Next are the actual
        virus and the original file. 
        This original file cannot easily be extracted since the
        starting variable (depth and coding type) are encoded.
        Depending on %DFF006, the link can change itself. Since
        the files are not marked, after resetting, more numerous
        links are possible. I stopped after 20 during testing.

           - Conditions:
              - Medium valid
              - At least ~100 blocks free
              - File bigger than ~2000 bytes
              - File smaller than ~1 million bytes !!!!!
              - File executeable (3F3)

      3.Job:
       The original file is executed.  The virus does not try to
       place itself in memory and so it is pointless searching the
       memory for it. A new attempt to infect files is only started
       when a file which has already been infected is executed.

       VT constantly searches the task list for the virus. If the
       requester "PolPow-antonio-Vir. war im Speicher" appears, you
       should be extra careful. Note that PolPow-Antonio and
       PolishPower appear the same on the task list!

       Note (Dec 98):  Since the unusual instruction was removed
       from the coding routine, the recognition became more
       difficult.  At times, only error recognitions could be used.
       Please give us an example file if you suspect you are
       infected.  VT finds the section ONLY!!!!  with file test.


  --------------------------------------------------------------
   Translated to English by Antonio Remedios  2001 VHT-Denmark
   Org. Test by Heiner Schneegold.
  --------------------------------------------------------------

[Go back]