Expl0de Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM




 
------------------------
Amiga Virus Encyclopedia
Expl0de Virus
------------------------

---------------------------------------------------------------------------
Entry...............: Expl0de Virus
Alias(es)...........: Port 9876
Virus Strain........: none
Virus detected when.: 1.2001
              where.: New Zealand
Classification......: System/Linkvirus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:      ca 730 Bytes
                      2. Length in RAM:                   2048 Bytes

--------------------- Preconditions ---------------------------------------

Operating System(s).: AMIGA-DOS Version/Release..: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ------------------------------------------

Easy Identification.: none

Type of infection...: Self-identification method in files:

                      - none (the virus infects only C:mount)

                      Self-identification method in memory:

                      - checks for $60ea at LoadSeg patch offset -2

                      System infection:
                      -  infects the following function:
                         Dos LoadSeg()


                      Infection preconditions:

                      - Hunk Code is found
                      - File is not infected already (double
                        infections are impossible)
                      - device is validated
                      - device contains free blocks


Infection Trigger...: Direct accessing C:mount

Storage media affected:
                      C:

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - none
                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - none

Particularities.....: (Installer is currently unknown.)
                      Installer infects only one file - C:mount,
                      the code of Vaginitis/Fungus virus is used
                      here only to implement TCP: new shell
                      opener to system.
                      The virus performs:
                      run >nil: newshell TCP:9876
                      
Similarities........: Link-method is first hunk increasing.
                      Last RTS will be rewritten with nop.
                      Whole code is 95% equal to Fungus/Vaginitis
                      viruses.

Stealth.............: Only one file is infected.
                      One of the additional files is file called
                      c:f which is small lame coded patcher for
                      dos/Write prepared to prevent writing files that
                      contain string '.987'. This is to hide
                      existence of the secret shell in TCP:,
                      also may damage some files with this string.

Armouring...........: very simply eor crypter with static key $1337


Comments............: The virus contains string 'expl0de!'.
                      The virus probably appeared with some other support
                      stuff that will be analyzed if we get it.
                      Author of this virus in love with
                      the longword $DEADF00D.

--------------------- Agents ----------------------------------------------

Countermeasures.....: -
above Standard means......: -

--------------------- Acknowledgement -------------------------------------

Location............: Pawlowice, Poland  25.1.2001
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 25.1.2001
Information Source..: Virus disassembly
Copyright...........: This documentation is public domain

===================== End of Expl0de virus ================================

Antivirus removal...: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
                      Kickstart all others: VirusZ III, and also Xvs.library must be installed
         
         



Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk