Elbereth 1 Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM




------------------------
Amiga Virus Encyclopedia
Elbereth 1 Virus
------------------------


------------------------------------------------------------------------ 
Entry...............: Elbereth1
Alias(es)...........: -
Virus Strain........: Elbereth
Virus detected when.: 1996
              where.: Poland
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:          936 Bytes
                      (uses polimorphic engine)
                      2. Length in RAM:                    2048 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release..: 2.0+
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: none

Type of infection...: Self-identification method in files:

                      - $4eba or $6100 as the first word of first code hunk

                      Self-identification method in memory:

                      - checks for $2f01 of first word of LoadSeg

                      System infection:

                      - patches LoadSeg and Open

                      File infection:

                      Lenght of the first code hunk will be increased.
                      First longword is replaced with jump to virus code.

                      Infection preconditions:

                      - Hunk Code is found and is smaller than $1ffff*4
                      - The first word isn't $4ef9 or $4eb9
                      - File is not infected already
                      - device is validated
                      - device contains free blocks

Infection Trigger...: Starting programs.
                      Files containing "V" or "v" will be not infected.

Storage media affected:
                      all DOS-devices

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - an alert will be shown and then reboot will be
                        performed
                      - data files will be mixed with 'swap d1' loop
                        (repairable at all)
                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - after 20.00 o'clock
                      - value in $dff007 is smaller than $32
                      Transient damage:
                      - none

Particularities.....: none

Similarities........: Link-method is first hunk increasing.

Stealth.............: none

Armouring...........: Classic crypter.

Comments............: The virus contains the string:
                      '»» Elbereth! ««     © 1996 Poland'
                      This is also the alert text.

--------------------- Acknowledgement ----------------------------------

Location............: Pawlowice, Poland  28.2.2001
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 28.2.2001
Information Source..: virus
Copyright...........: This documentation is public domain

===================== End of Elbereth1 =================================

Antivirus removal...: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
                      Kickstart all others: VirusZ III, and also Xvs.library must be installed
         




Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk