--------------------------
Amiga Virus Encyclopedia
HappyNewYear 96 & 97 Virus
--------------------------
-------------------------------------------------------------------------
Entry...............: H.N.Y.96. / H.N.Y 97
Alias(es)...........: Happy_New_Year_96, Happy_New_Year_97
Known clones........: Aram Doll
Virus detected when.: 11/1995
where.: Austria, Germany, Holland, Poland and USA
Classification......: Link virus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: 540 Bytes
2. Length in RAM: 540 Bytes
Happy New Year97 uses Filepart() instead of
LoadSeg infection and the static length 628 bytes.
All other commands are 100% equal.
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)
--------------------- Attributes ---------------------------------------
Easy Identification.: Text at the end of the first hunk: "Happy_New_Year_96"
Type of infection...: Self-identification method in files:
- Searches for $65772059 in the first Hunk.
Self-identification method in memory:
- Checks for $2f08 in the LoadSeg function
System infection:
- RAM resident, infects the LoadSeg() code of
DOS library
Infection preconditions:
- device has more than 4 free sectors
- file is longer than $960 bytes and shorter than
$1e460 bytes
- Hunk_Code is found in the area behind the HUNK_
header (NO CHECK FOR RUNAWAYS!!!)
- The filename contains this not a "-" and does
not contains ".l". This is probably to be secure
no to infect a library.
- $4e75 is found at the end of the first CODEHUNK
or $4e75 is in the last $3f words of this hunk.
Infection Trigger...: Accessing the volume
Storage media affected: all DOS-devices
Interrupts hooked...: LoadSeg() of DOS will be used for the infection code.
The routine is a little bit buggy and trashes the
a1 register.
Damage..............: Permanent damage:
- None
Transient damage:
- None
Damage Trigger......: Permanent damage:
- None
Transient damage:
- None
Particularities.....: This virus uses no encryption routines to hide it`s
code. The LoadSeg() patch isn`t 100% clear and
trashes the adress register A1.
Similarities........: Link-method is comparable to the Crime
series. End of the first hunk will be the loc.
for the virus and the last "RTS" will be replaced.
Stealth.............: no stealth abilities found
Armouring...........: The virus uses only some special adresscommands to
confuse the AV people.
Installers..........: DemoManiac 2.19 fake (dop-dm1.dms)
DeTag0.63 (detag063.lha)
--------------------- Agents -------------------------------------------
Countermeasures.....: VT 2.79, VW 5.8
Countermeasures successful: all of the above
Standard means......: -
--------------------- Acknowledgement ----------------------------------
Location............: (C) Markus Schmall, Hannover, Germany
Classification by...: Markus Schmall
Documentation by....: Markus Schmall
Date................: November,24. 1995
Information Source..: Reverse engineering of original virus
Copyright...........: Markus Schmall, the VTC Uni Hamburg is allowed to
use this document in their libraries. SHI is
forbidden to use this document in any form.
===================== End of H.N.Y.96. Virus ============================
Antivirus...........: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III v1.04B or higher, and also Xvs.library v33.47 or higher
Notes about the known clones:
Aram Doll is a normal linkvirus with 560 byte length. It`s not crypted and
uses the LastAlert pointer of Execbase for the selfrecognition in memory.
The LoadSeg patch differs a little bit.
HEX dump of HappyNewYear 96 virus:
HEX dump of HappyNewYear 97 virus:
HEX dump of HappyNewYear 97 virus:
