Entry...............: Motaba-3
Alias(es)...........: none
Virus Strain........: none
Virus detected when.: 6.2000
              where.: Poland
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:         c.a.880 Bytes
                      (uses very primitiv length polymorph)
                      2. Length in RAM:                    4096 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release..: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: none

Type of infection...: Self-identification method in files:

                      - none (double infections are impossible)

                      Self-identification method in memory:

                      - none (double patching is impossible)

                      System infection:
                      -  infects the following function:
                         Dos LoadSeg()


                      Infection preconditions:


                      - File is between 2048 and 100*1024 bytes
                      - Hunk Code is found
                      - File is not infected already
                      - device is validated
                      - device contains free blocks


Infection Trigger...: Accessing files via LoadSeg()
                      Files containing a ".l" or a "-" or "V" or "v"
                      will be not infected.

Storage media affected:
                      all DOS-devices

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - none
                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - none

Particularities.....: [See Stealth]
                      
Similarities........: Link-method is first hunk increasing. The virus
                      replaces all jsr -552(a6) commands and one
                      other jsr -xx(a6) which will be hidden in virus.

Stealth.............: LoadSeg must be pointing to $fxxxxx or virus
                      will not patch it.
                      Open vector must be pointing to $fxxxxx to
                      perform infection.
                      The LoadSeg conatins special string to
                      confuse VirusZ that the patch is by crm.library
                      This could mean that this virus is quite old...

Armouring...........: very simply eor crypter, length of added code
                      is changing in small range and at the end of the 
                      virus is more or less garabage.

Comments............: The virus contains the string:

                      '[Ask for more: motaba@xxxxxx.pl]'

                      This e-mail is fake/joke and belongs to
                      innocent person, so I`ve put xxxxxxx.

--------------------- Agents -------------------------------------------

Countermeasures.....: -
above Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Pawlowice, Poland  22.6.2000
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 22.6.2000
Information Source..: Virus disassembly
Copyright...........: This documentation is public domain

===================== End of Motaba3====================================

[Go back]