Entry...............: Bobek2!
Alias(es)...........: -
Virus Strain........: Bobek
Virus detected when.: -
              where.: internet
Classification......: Linkvirus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:         1036 Bytes
                      2. Length in RAM:                 65535*2 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release..: 2.04 and above (V37+)
Computer model(s)...: all models

--------------------- Attributes ---------------------------------------

Easy Identification.: none

Type of infection...: Self-identification method in files:
                      - compares length declared in hunkheader
                        with the real length (this also
                        avoids infection of some crunched files)

                      Self-identification method in memory:
                      - checks libOpen address of exec.library
                        When TWO parts of virus install
                        on this vector FULL VIRUS is being activated.
                        It will infect ExNext if it points to $Fxxxxx

                      System infection:
                      - first infected file allocates memory for
                        virus code and puts this address as libOpen
                        vector of exec.library.

                      - another copies of virus implements on this
                        vector until virus-block is constructed.
                        Just then it is activated.

                      - full virus infects ExNext of dos.library
                        The paths to infect are made with
                        NameFromLock and stolen FIB returned by ExNext
                        It gives in some cases wrong paths, so some
                        directories won't be touched by virus.
                      - creates invisible 'interrupt' to keep 
                        the ExNext patch untouched.
                        Seems to be very difficult to remove.

                      Infection preconditions:

                      - File is between 200 and 30000 bytes
                      - Hunk Code is found
                      - File is not infected already
                      - device is validated

Infection Trigger...: Scanning directories (with: filemanagers,
                      filerequesters, Workbench etc.).

Storage media affected:
                      all DOS-devices

Interrupts hooked...: Timer.device is used to create memory-protection
                      of patch. It's interrupt can't be switched off,
                      because system uses it to many other things.

Damage..............: Permanent damage:
                      - none
                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - none

Particularities.....: First 'binary' virus for Amiga computers.
                      Making virus spread as two parts makes
                      the added data much shorter and prevents
                      reverse engineering of disassembled file.
                      Every infected file contains only half
                      of virus code (odd or even words of virus-block).

                      The linker is made with one Open/Close,
                      so it is quite fast.

                      Memory allocation is done only once at start because
                      of checking small range of filesizes.

                      The infected file has always replaced first longword
                      of first code hunk with BSR.W to entry point
                      of decoder.
                      There is test for $4E at the first LONG.
                      That covers 4EF9 and 4EB9 long jumps.

                      The virus block is decrypted by 128 byte long
                      metamorphic decryptor (decoder is made of random
                      jumps to decoder instructions).
                      This is new technic for Amiga. Detection
                      is possible in algorythmic way only.
                      Seems to be easy to detect at that level
                      of complication.
                      The virus stores first LONGWORD of codehunk,
                      so it is necessary to decode it.
                      This is probably the first Amiga virus with
                      random entry points to decoder (anywhere in
                      decoder area). This generator is one of
                      the smallest engines with such power for Amiga.

                      Timer.device is used to create invisible 'interrupt'.
                      This interrupt takes care of ExNext patch.
                      Not only patch address is restored when something
                      removes it, but also patch memory is restored
                      if something tries to overwrite patch with NOPs,
                      RTSes etc.
                      This interrupt holds the backup of whole code,
                      but only main patch-part is protected.
                      This means the spreading code is untouchable.

Similarities........: Link-method is first hunk increasing.
                      The main viral code is almost equal to BOBEK
                      linkvirus.
                      Use of timer.device comparable a bit to PolishPower.

Stealth.............: The virus uses direct ROM call to Open,
                      so all doscall watchers are cheated.
                      Routine to rip this address from ROM is tricky,
                      but at the moment it does work.
                      The virus puts the new infected length
                      to FIB returned by patched ExNext,
                      so the ExNext always returns the real size of file.
                      The virus checks if filesize is dividible by 4
                      (executables are), so most of datafiles won't be
                      even opened.

Armouring...........: Nothing special except fact that analyze
                      of virus is impossible in file.

Comments............: NOTE!
                      There is no code to restore filedate
                      after infection.

--------------------- Acknowledgement ----------------------------------

Location............: Pawlowice, Poland  6.2001
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 6.2001
Information Source..: Virus disassembly
Copyright...........: This documentation is public domain

===================== End of [BOBEK2!] =================================

[Go back]