212 bytes linkvirus - Amiga Virus Encyclopedia

VIRUS HELP TEAM



------------------------    
Amiga Virus Encyclopedia
212 bytes linkvirus
------------------------

---------------------------------------------------------------------------
Entry...............: 212-bytes
Alias(es)...........: NoName (212 bytes)
Virus Strain........: xxxxxxxxShort
Virus detected when.: 6.2001
              where.: Internet
Classification......: System/Linkvirus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:         212 Bytes
                      2. Length in RAM:                      0 Bytes
                               (uses system stack to hide it's code)

--------------------- Preconditions --------------------------------------

Operating System(s).: AMIGA-DOS Version/Release..: V36+
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes -----------------------------------------

Easy Identification.: none

Type of infection...: Self-identification method in files:

                      - first byte of first code hunk is $61.B

                      Self-identification method in memory:

                      - checks for "do".W at sysStackLower offset 0

                      System infection:
                      -  infects the following function:
                         Dos Write()

                      Infection preconditions:

                      - Hunk Code is found
                      - File is not infected already
                      - file is smaller than $7c0*4

Infection Trigger...: Copying executable files

Storage media affected:
                      all dos devices (including RAM:)

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - none
                      Transient damage:
                      - generating of bad files is possible
Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - too simply infect code

Particularities.....: Smallest linkvirus for Amiga!
                      This is much optimized xxxxxxxxShort
                      which was the smallest one until now.
                      
Similarities........: Code is equal to xxxxxxxxShort.
                      First long of first codehunk is replaced with
                      jump to virus code.

Stealth.............: -

Armouring...........: -

Comments............: The main goal of this virus is it's size.
                      There are some 'bugs' that may cause making
                      wrong files (lack of clever test routines).
                      The virus wasn't tested with bigger caches!

--------------------- Agents ---------------------------------------------

Countermeasures.....: -
above Standard means......: -

--------------------- Acknowledgement ------------------------------------

Location............: Pawlowice, Poland  6.2001
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 6.2001
Information Source..: Analyze of virus and source code
Copyright...........: This documentation is public domain

===================== End of 212 bytes virus ==============================

Antivirus removal...: VirusZ III with Xvs.library installed





Virus Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk