------------------------
Amiga Virus Encyclopedia
Bobek 2 Virus
------------------------
------------------------------------------------------------------------
Entry...............: Bobek2!
Alias(es)...........: -
Virus Strain........: Bobek
Virus detected when.: -
where.: internet
Classification......: Linkvirus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: 1036 Bytes
2. Length in RAM: 65535*2 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS Version/Release..: 2.04 and above (V37+)
Computer model(s)...: all models
--------------------- Attributes ---------------------------------------
Easy Identification.: none
Type of infection...: Self-identification method in files:
- compares length declared in hunkheader
with the real length (this also
avoids infection of some crunched files)
Self-identification method in memory:
- checks libOpen address of exec.library
When TWO parts of virus install
on this vector FULL VIRUS is being activated.
It will infect ExNext if it points to $Fxxxxx
System infection:
- first infected file allocates memory for
virus code and puts this address as libOpen
vector of exec.library.
- another copies of virus implements on this
vector until virus-block is constructed.
Just then it is activated.
- full virus infects ExNext of dos.library
The paths to infect are made with
NameFromLock and stolen FIB returned by ExNext
It gives in some cases wrong paths, so some
directories won't be touched by virus.
- creates invisible 'interrupt' to keep
the ExNext patch untouched.
Seems to be very difficult to remove.
Infection preconditions:
- File is between 200 and 30000 bytes
- Hunk Code is found
- File is not infected already
- device is validated
Infection Trigger...: Scanning directories (with: filemanagers,
filerequesters, Workbench etc.).
Storage media affected:
all DOS-devices
Interrupts hooked...: Timer.device is used to create memory-protection
of patch. It's interrupt can't be switched off,
because system uses it to many other things.
Damage..............: Permanent damage:
- none
Transient damage:
- none
Damage Trigger......: Permanent damage:
- none
Transient damage:
- none
Particularities.....: First 'binary' virus for Amiga computers.
Making virus spread as two parts makes
the added data much shorter and prevents
reverse engineering of disassembled file.
Every infected file contains only half
of virus code (odd or even words of virus-block).
The linker is made with one Open/Close,
so it is quite fast.
Memory allocation is done only once at start because
of checking small range of filesizes.
The infected file has always replaced first longword
of first code hunk with BSR.W to entry point
of decoder.
There is test for $4E at the first LONG.
That covers 4EF9 and 4EB9 long jumps.
The virus block is decrypted by 128 byte long
metamorphic decryptor (decoder is made of random
jumps to decoder instructions).
This is new technic for Amiga. Detection
is possible in algorythmic way only.
Seems to be easy to detect at that level
of complication.
The virus stores first LONGWORD of codehunk,
so it is necessary to decode it.
This is probably the first Amiga virus with
random entry points to decoder (anywhere in
decoder area). This generator is one of
the smallest engines with such power for Amiga.
Timer.device is used to create invisible 'interrupt'.
This interrupt takes care of ExNext patch.
Not only patch address is restored when something
removes it, but also patch memory is restored
if something tries to overwrite patch with NOPs,
RTSes etc.
This interrupt holds the backup of whole code,
but only main patch-part is protected.
This means the spreading code is untouchable.
Similarities........: Link-method is first hunk increasing.
The main viral code is almost equal to BOBEK
linkvirus.
Use of timer.device comparable a bit to PolishPower.
Stealth.............: The virus uses direct ROM call to Open,
so all doscall watchers are cheated.
Routine to rip this address from ROM is tricky,
but at the moment it does work.
The virus puts the new infected length
to FIB returned by patched ExNext,
so the ExNext always returns the real size of file.
The virus checks if filesize is dividible by 4
(executables are), so most of datafiles won't be
even opened.
Armouring...........: Nothing special except fact that analyze
of virus is impossible in file.
Comments............: NOTE!
There is no code to restore filedate
after infection.
--------------------- Acknowledgement ----------------------------------
Location............: Pawlowice, Poland 6.2001
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 6.2001
Information Source..: Virus disassembly
Copyright...........: This documentation is public domain
===================== End of [BOBEK2!] =================================
Antivirus removal...: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
