------------------------
Amiga Virus Encyclopedia
Bastard Virus
------------------------
--------------------- Virus test ---------------------------------------
Entry...............: BASTARD (temporary name)
Alias(es)...........: -
Virus Strain........: Motaba(?)
Virus detected when.: 4.2001
where.: internet
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: c.a.2100 Bytes
(uses polimorphic engine)
2. Length in RAM: 8192 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS Version/Release..: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)
--------------------- Attributes ---------------------------------------
Easy Identification.: none
Type of infection...: Self-identification method in files:
- checks first byte of first codehunk for $61
(part of jump to viruscode)
Self-identification method in memory:
- indirectcly the virus is aware of itself:
* checks for $-1 in tc_userdata
field of every process, this value
is stored by exec/TaskWait list scanner,
already checked processes are skipped
* the try to hack asl.library fails,
so memory is freed
System infection:
- tries to guess paths to runned programs
via pr_Homedir and task name.
This gives about 2-5 valid filepaths
(mainly in WBStartup) to infect.
- Tries to hack in memory code of AllocRequest
of asl.library with patch that tries to
hack VirusCheckerII process (gets
via seglist Open call of this killer and
patches it!). I don`t know
which version(s) author of virus had tested.
Infection preconditions:
- File is between 2000 and 32000 bytes
- Hunk Code is found
- File is not infected already
- device is validated
- device contains free blocks
Infection Trigger...: 1. Accessing files via checking them with VirusCheckerII.
2. Direct infection of some runned programs
after run of an infected file.
Files containing a "l" or "L" or "-" or "V" or "v"
will be not infected.
Storage media affected:
all DOS-devices
Interrupts hooked...: None
Damage..............: Permanent damage:
- Crashes system.
Transient damage:
- none
Damage Trigger......: Permanent damage:
- File ENV:mui/spirit.1.prefs exists
Transient damage:
- none
Particularities.....: Polimorphic decrypt routine.
The decryptor is 256 bytes long and before
it is always: movem.l d0-a6,-(sp)
This engine is (for me) a new one, but doesn`t
contain enough stuff to prevent "checksum"
detecting of the infected files.
The truth is even better. We can decode virus
using the technic found inside it
(the crypter and decrypter are same!).
The polimorphic engine always contains
one loop, one eor, one move.l 4.w,a6,
two lea.l rest are random moveq and shitfs
like lsl.l #2,d4 etc.
The decrypt algo may vary
if in the decrypt loop appear random
instruction that changes cryptkey register,
I didn't get any crashing example.
The virus replaces first longword of the
first codehunk with bsr.w to virus code.
The original value is restored by
decrypted virus code. And the stack will
be mainipulated to call the program first
and then call the main virus code.
Note that there is no detailed check for
this long, so every file without $61
at the begin will be infected.
This means also that files with reloc instruction
in first long will cause guru after infection.
New ideas at all. The virus looks excellent
compared to Motaba-3 that is supposed to
be the base of this viral engine.
Direct hacking of things that are ram only
is problematic subject and there is incredibly
large amount of things that can be hacked
in future in the same way.
One of these bastards that
if run from an icon will not crash
with the wellknown GURU 87000004. Thats because
of the executing of virus code AFTER program.
Similarities........: Link-method is first hunk increasing.
The main code is comparable to motaba-3.
Length polymorph is same!
The change of lenght is depending on
'a' in filepath.
The path creator is idea comparable to
Antonio and PolishPower viruses.
Stealth.............: FindTask must be pointing to $fxxxx or virus
will not try to hack VCII.
Open must be pointing to $fxxxx or virus
will not perfom any action.
Write must be pointing to $fxxxx or virus
will not perfom any action.
Lock must be pointing to $fxxxx or virus
will not perform check for ENV:mui/spirit.1.prefs.
The virus doesn`t patch ROM library vectors,
and the hackings of VC and asl.library are done
in quite tricky way.
Armouring...........: Polymorphic decryptor is used, length
of added code is changing in small range and
at the end of the virus is more or less garabage.
The virus contains some of the popular tricks
like bsr and then increasing sp to mix code
with data and some confusing/antidisassembling
instructions.
Comments............: -
--------------------- Agents -------------------------------------------
Countermeasures.....: -
above Standard means......: -
--------------------- Acknowledgement ----------------------------------
Location............: Pawlowice, Poland 4.2001
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 4.2001
Information Source..: Virus disassembly and reverse engineering
Copyright...........: This documentation is public domain
===================== End of BASTARD ===================================
Antivirus removal...: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library nstalled
The virus doesn't seem to be able to spread on so many machines,
but of course file removals will be ready as soon as possible.
What is more important!
-----------------------
Here is the first analyze of that virus.
At the moment the range of spreading is unknown,
but I heard the installer is an archive with pointers or somthing
in this kind. Jan Andersen of VHT-DK is working on it or already finished.
