--------------------- Virus test ---------------------------------------

Entry...............: BASTARD (temporary name)
Alias(es)...........: -
Virus Strain........: Motaba(?)
Virus detected when.: 4.2001
              where.: internet
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:     c.a.2100 Bytes
                      (uses polimorphic engine)
                      2. Length in RAM:                    8192 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release..: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: none

Type of infection...: Self-identification method in files:

                      - checks first byte of first codehunk for $61
                        (part of jump to viruscode)

                      Self-identification method in memory:
                      - indirectcly the virus is aware of itself:
                        * checks for $-1 in tc_userdata
                          field of every process, this value
                          is stored by exec/TaskWait list scanner,
                          already checked processes are skipped
                        * the try to hack asl.library fails,
                          so memory is freed

                      System infection:

                      -  tries to guess paths to runned programs
                         via pr_Homedir and task name.
                         This gives about 2-5 valid filepaths
                         (mainly in WBStartup) to infect.

                      -  Tries to hack in memory code of AllocRequest
                         of asl.library with patch that tries to
                         hack VirusCheckerII process (gets
                         via seglist Open call of this killer and
                         patches it!). I don`t know
                         which version(s) author of virus had tested.

                      Infection preconditions:

                      - File is between 2000 and 32000 bytes   
                      - Hunk Code is found
                      - File is not infected already
                      - device is validated
                      - device contains free blocks

Infection Trigger...: 1. Accessing files via checking them with VirusCheckerII.
                      2. Direct infection of some runned programs
                         after run of an infected file.
                      Files containing a "l" or "L" or "-" or "V" or "v"
                      will be not infected.

Storage media affected:
                      all DOS-devices

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - Crashes system.
                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - File ENV:mui/spirit.1.prefs exists
                      Transient damage:
                      - none

Particularities.....: Polimorphic decrypt routine.
                      The decryptor is 256 bytes long and before
                      it is always: movem.l d0-a6,-(sp)
                      This engine is (for me) a new one, but doesn`t
                      contain enough stuff to prevent "checksum"
                      detecting of the infected files.
                      The truth is even better. We can decode virus
                      using the technic found inside it
                      (the crypter and decrypter are same!).
                      The polimorphic engine always contains
                      one loop, one eor, one move.l 4.w,a6,
                      two lea.l rest are random moveq and shitfs
                      like lsl.l #2,d4 etc.
                      The decrypt algo may vary
                      if in the decrypt loop appear random
                      instruction that changes cryptkey register,
                      I didn't get any crashing example.

                      The virus replaces first longword of the
                      first codehunk with bsr.w to virus code.
                      The original value is restored by
                      decrypted virus code. And the stack will
                      be mainipulated to call the program first
                      and then call the main virus code.
                      Note that there is no detailed check for
                      this long, so every file without $61
                      at the begin will be infected.
                      This means also that files with reloc instruction
                      in first long will cause guru after infection.

                      New ideas at all. The virus looks excellent
                      compared to Motaba-3 that is supposed to
                      be the base of this viral engine.
                      Direct hacking of things that are ram only
                      is problematic subject and there is incredibly
                      large amount of things that can be hacked
                      in future in the same way.

                      One of these bastards that
                      if run from an icon will not crash
                      with the wellknown GURU 87000004. Thats because
                      of the executing of virus code AFTER program.

Similarities........: Link-method is first hunk increasing.
                      The main code is comparable to motaba-3.
                      Length polymorph is same!
                      The change of lenght is depending on
                      'a' in filepath.
                      The path creator is idea comparable to
                      Antonio and PolishPower viruses.

Stealth.............: FindTask must be pointing to $fxxxx or virus
                      will not try to hack VCII.
                      Open must be pointing to $fxxxx or virus
                      will not perfom any action.
                      Write must be pointing to $fxxxx or virus
                      will not perfom any action.
                      Lock must be pointing to $fxxxx or virus
                      will not perform check for ENV:mui/spirit.1.prefs.
                      The virus doesn`t patch ROM library vectors,
                      and the hackings of VC and asl.library are done
                      in quite tricky way.

Armouring...........: Polymorphic decryptor is used, length
                      of added code is changing in small range and
                      at the end of the virus is more or less garabage.
                      The virus contains some of the popular tricks
                      like bsr and then increasing sp to mix code
                      with data and some confusing/antidisassembling
                      instructions.

Comments............: -

--------------------- Agents -------------------------------------------

Countermeasures.....: -
above Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Pawlowice, Poland  4.2001
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 4.2001
Information Source..: Virus disassembly and reverse engineering
Copyright...........: This documentation is public domain

===================== End of BASTARD ===================================

The virus doesn't seem to be able to spread on so many machines,
but of course file removals will be ready as soon as possible.


What is more important!
-----------------------
Here is the first analyze of that virus.
At the moment the range of spreading is unknown,
but I heard the installer is an archive with pointers or somthing
in this kind. Jan Andersen of VHT-DK is working on it or already finished.

[Go back]