Bokor Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM



------------------------
Amiga Virus Encyclopedia
Bokor Virus 
------------------------


----------------------------------------------------------------------------

Entry...............: Bokor
Alias(es)...........: Bokor, Bokor 1.05, Bokor 1.06, Bokor 1.1
Virus Strain........: -
Virus detected when.: July-September 1997
              where.: World
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:         around 1600 bytes
                      2. Length in RAM:                    around 5000 bytes

SECIAL NOTE: ALL FORMS ARE ANALYSED IN ONE TEXT. SO PLEASE DONT BLAME ME FOR
THE AROUND XXXX BYTES MESSAGES.

--------------------- Preconditions ----------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 2.04+ (V37-V40)

                      Please note that the polymorphic decrypter is not 100%
                      aware of modern OS versions. I have here a special
                      "work" kickstart version, which does not run with this
                      virus.

Computer model(s)...: all models/processors (MC68000-MC68060)


--------------------- Attributes -------------------------------------------

Easy Identification.: - none except for a heuristic thing as done in the
                        VirusWorkshop.

Type of infection...: Self-identification method in files:

                      -

                      Self-identification method in memory:

                      - test for a special word at offset $10 frm the
                        LoadSeg vector. This method is rather unsecure
                        as this word appears VERY often.

                      System infection:

                      - LoadSeg() of dos.library will be patched in a special
                        antiheuristik way, which uses some antiresource technics.

 
                      Infection preconditions:

                       - HUNK_HEADER is found
                       - device is validated
                       - to be infected files first hunk  is bigger than 4*$188
                       - file is smaller then $3e800 bytes

Infection Trigger...: The infection is based on the disk operating
                      system of AMIGA OS. Every started file will be
                      infected. All executive dos commands are affected.

Storage media affected:
                      all DOS-devices

Interrupts hooked...: -

Damage..............: Permanent damage:
                      - none

                      Transient damage:
                      - none

Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - infecting a file

Particularities.....:
                      The virus is in parts incompatible to the new versions of EXEC,
                      as it uses some commands only legal in V37-V41 versions.
                    
Similarities........: The hunk1 add method is used by several linkviruses. The number
                      of known hunktypes is really small and should cause problems
                      under special testsuites. The special thing is, that a $3ec
                      hunk is added.

Stealth.............: None

Armouring...........: The virus is heavily armoured with a type 4 (Bokor 1.0x) btw. a
                      type 2 (Bokor 1.1) polymorphic routine, which is completely caches
                      aware and can produce a huge amount of headers. The virus itself
                      uses codeshifting (like the old Dark Avenger linkviruses) to irritate
                      the av people, even if a non crypted form is generated. The code is
                      in parts written with some knowledge of antiresourcetechnics.

Specialities........: As always the virus contains a text part:

--------------------- Agents --------------------------------------------------------------

Countermeasures.....: VT 3.00 and VW 6.7 (both recognize ALL FORMS!!!!)
above Standard means......: -

--------------------- Acknowledgement -----------------------------------------------------

Location............: Hannover, Germany 29.09.1997.
Classification by...: Markus Schmall
Documentation by....: Markus Schmall (C)
Date................: Sep, 29. 1997
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
                      in any SHI publication

===================================== End of Bokor Virus ==================================

Antivirus removal...: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
                      Kickstart all others: VirusZ III with Xvs.library installed





Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk