------------------------
Amiga Virus Encyclopedia
Bokor Virus
------------------------
----------------------------------------------------------------------------
Entry...............: Bokor
Alias(es)...........: Bokor, Bokor 1.05, Bokor 1.06, Bokor 1.1
Virus Strain........: -
Virus detected when.: July-September 1997
where.: World
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: around 1600 bytes
2. Length in RAM: around 5000 bytes
SECIAL NOTE: ALL FORMS ARE ANALYSED IN ONE TEXT. SO PLEASE DONT BLAME ME FOR
THE AROUND XXXX BYTES MESSAGES.
--------------------- Preconditions ----------------------------------------
Operating System(s).: AMIGA-DOS Version/Release.....: 2.04+ (V37-V40)
Please note that the polymorphic decrypter is not 100%
aware of modern OS versions. I have here a special
"work" kickstart version, which does not run with this
virus.
Computer model(s)...: all models/processors (MC68000-MC68060)
--------------------- Attributes -------------------------------------------
Easy Identification.: - none except for a heuristic thing as done in the
VirusWorkshop.
Type of infection...: Self-identification method in files:
-
Self-identification method in memory:
- test for a special word at offset $10 frm the
LoadSeg vector. This method is rather unsecure
as this word appears VERY often.
System infection:
- LoadSeg() of dos.library will be patched in a special
antiheuristik way, which uses some antiresource technics.
Infection preconditions:
- HUNK_HEADER is found
- device is validated
- to be infected files first hunk is bigger than 4*$188
- file is smaller then $3e800 bytes
Infection Trigger...: The infection is based on the disk operating
system of AMIGA OS. Every started file will be
infected. All executive dos commands are affected.
Storage media affected:
all DOS-devices
Interrupts hooked...: -
Damage..............: Permanent damage:
- none
Transient damage:
- none
Damage Trigger......: Permanent damage:
- none
Transient damage:
- infecting a file
Particularities.....:
The virus is in parts incompatible to the new versions of EXEC,
as it uses some commands only legal in V37-V41 versions.
Similarities........: The hunk1 add method is used by several linkviruses. The number
of known hunktypes is really small and should cause problems
under special testsuites. The special thing is, that a $3ec
hunk is added.
Stealth.............: None
Armouring...........: The virus is heavily armoured with a type 4 (Bokor 1.0x) btw. a
type 2 (Bokor 1.1) polymorphic routine, which is completely caches
aware and can produce a huge amount of headers. The virus itself
uses codeshifting (like the old Dark Avenger linkviruses) to irritate
the av people, even if a non crypted form is generated. The code is
in parts written with some knowledge of antiresourcetechnics.
Specialities........: As always the virus contains a text part:
--------------------- Agents --------------------------------------------------------------
Countermeasures.....: VT 3.00 and VW 6.7 (both recognize ALL FORMS!!!!)
above Standard means......: -
--------------------- Acknowledgement -----------------------------------------------------
Location............: Hannover, Germany 29.09.1997.
Classification by...: Markus Schmall
Documentation by....: Markus Schmall (C)
Date................: Sep, 29. 1997
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
in any SHI publication
===================================== End of Bokor Virus ==================================
Antivirus removal...: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
