------------------------
Amiga Virus Encyclopedia
Antonio Link Virus
------------------------
- PolPow-antonio-Vir. Linkvirus
Reason for the name:
The coding routine (except for the unusual instruction)
and the link routine were 'borrowed'.
The link part of the file reads:
646f732e 6c696272 61727900 dos.library.
74696d65 722e6465 76696365 006d6169 timer.device.mai
6c2e686f 746d6169 6c2e636f 6d004652 l.hotmail.com.FR
4f4d3a3c 6d654079 61686f6f 2e636f6d OM:.To:.
0d0a2e0d 0a006273 64736f63 6b65742e ......bsdsocket.
6c696272 61727900 6d69616d 692e6c69 library.miami.li
62726172 79006d69 3000 brary.mi0.
timer.device is never called at this point.
Also note that sections are easily taken over.
File lengthened by: 5900-7858 Bytes
Because of a small inconsistency, the a file may be
linked twice!
Does not survive resets.
At least KS ~36
Vectors changed: None
Method of staying in memory:
NO code available (different to PolishPower)
Two negative jobs are executed:
1st job:
bsd.lib and miami.lib are looked up and branch instructions
(no lib description available) for the hotmail accounts
(see above) are processed.
2nd job:
The task list is searched for processes.
The appropriate files are contaminated and the task list
modified to indicate the processes. The files cannot always
be found (e.g. WB processes)
Link process:
- A file with only one hunk is made. At the start is the
decoding routine: this modifies the length - a different
coding instruction is always used. Next are the actual
virus and the original file.
This original file cannot easily be extracted since the
starting variable (depth and coding type) are encoded.
Depending on %DFF006, the link can change itself. Since
the files are not marked, after resetting, more numerous
links are possible. I stopped after 20 during testing.
- Conditions:
- Medium valid
- At least ~100 blocks free
- File bigger than ~2000 bytes
- File smaller than ~1 million bytes !!!!!
- File executeable (3F3)
3.Job:
The original file is executed. The virus does not try to
place itself in memory and so it is pointless searching the
memory for it. A new attempt to infect files is only started
when a file which has already been infected is executed.
VT constantly searches the task list for the virus. If the
requester "PolPow-antonio-Vir. war im Speicher" appears, you
should be extra careful. Note that PolPow-Antonio and
PolishPower appear the same on the task list!
Note (Dec 98): Since the unusual instruction was removed
from the coding routine, the recognition became more
difficult. At times, only error recognitions could be used.
Please give us an example file if you suspect you are
infected. VT finds the section ONLY!!!! with file test.
Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
--------------------------------------------------------------
Translated to English by Antonio Remedios © 2001 VHT-Denmark
Org. Test by Heiner Schneegold.
--------------------------------------------------------------
