Entry...............: Cryptic Essence Alias(es)...........: Evil Jesus #3
Virus Strain........: -
Virus detected when.: 9/1995
              where.: Denmark Classification......: Link virus,
memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage             medium:     none
                      2. Length in RAM:                $97c bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: None

Type of infection...: Self-identification method in files: 
                      -  None. Double infections are possible but mostly
                         result in dead samples. Tested on CVMODE as
                         testinfect file.

                      Self-identification method in memory:
                      -  None

                      System infection: 
                      -  RAM resident, infects the DOS Write() function

                      Infection preconditions:
                       - File to be infected is bigger then 9276 bytes
                       - First hunk is a normal code hunk without
                         memory extentsion (=$3e9)
                       - This hunk must be bigger than 9276 bytes
                       - First word in this hunk is not:

                         - $4afc (ILLEGAL)
                         - $4e75

                       - Second word in this hunk is not:

                         - $4afc (ILLEGAL)
                         - $4e75


Infection Trigger...: Accessing the volume (by writing)
                      A normal COPY is not suitable, because COPY divides
                      longer files in little chunks and at this chunks,
                      the virus mostly cannot work correctly.
                        Storage media affected: all DOS-devices

Interrupts hooked...: None

Damage..............: Permanent damage: 
                      - Changes data in files randomly. Not repairable
                      Transient damage: 
                      - none
Damage Trigger......: Permanent damage:
                      - Counter reaches 0
                      Transient damage: 
                      - None

Particularities.....: The crypt routines are not aware of processor caches
                      and have serious problem at some places. It can come
                      to wrong decoding and  such stuff. The linkmethod is
                      new for the  AMIGA computer series and  is called on
                      PC Cavity  linkviruses. There is no modification  to
                      the  relochunks needed  to repair  the file from the
                      virus.

                      In the virus there is found a comment to a wellknown
                      PC antivirus researcher and to a essey written by
                      this guy, which was obviously used from the virus-
                      programmer(s) as basis.


Similarities........: Cavity linkviruses on PC (such families have been
                      e.g. seen in the Netherlands). Packroutine is stolen
                      from the xpk distribution.  The way of linking is
                      completly new for the AMIGA at this time (9/95).

Stealth.............: The viruses uses normal dos commands (no tunneling
                      via packets) and normal DOS call watchers like SnoopDos
                      can proof the infection behavior. The virus does not
                      restore fileprotect flags and the filedate, so that
                      this can be a proofal for a possible infection. The
                      filelength does not change. No new hunk will be added.
                      Using the RCH technic the virus searches a place
                      where to put it`s own code and crunches the existing
                      data at first. The can`t be found based on a normal
                      offset location search.

Armouring...........: The virus uses several armouring techniques to
                      confuse people while debugging this virus:
                      1. The virus uses double encryption with an
                         polymorphic engine (SPe)
                      2. The virus is flexible programmed and uses
                         nearly no hardcoded values
                      3. Write() vector patch uses a polymorphism
                         to cheat some not flexible av-software
                      4. Polymorphism at entry jump to irritate the
                         av software


--------------------- Agents -------------------------------------------

Countermeasures.....: VT 2.77, VW 5.6
Countermeasures successful: All of the above
Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Hannover, Germany 28.9.1995.
Classification by...: Markus Schmall, Georg Hoermann and Heiner Schneegold
Documentation by....: Markus Schmall
Date................: September,28. 1995
Information Source..: Reverse engineering of original virus
Special.............: Some parts of this analyse have been shorted/cutted
                      not to show the public too much information about
                      things like RCH and SPe.

===================== End of Cryptic Essence Virus ======================


It`s surprising that the virus seems to be uploaded from the auhtor including
FULL source at a dansk AV board. The author included even a little text:


-----BEGIN PGP SIGNED MESSAGE-----

  -=* Cryptic Essence,  1995 Evil Jesus (maximum false positive) *=-
 
 Extra thanks for xxxxxxxx xxxxxxxxx giving some valueable information
 how to reach maximum damage in essee 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'.

 It really inspired me to write C.E.!

 - Generalized infection scheme, virus itself will not use any strings
   to avoid reinfecting same file. This should make it very hard to
   detect and also gives possibility to change visible decrypting code.
 - Random damage, impossible to repair.
 - Source code is easily modifable to use different packers and crypters.

 If you are interested about that particular essee you can write to
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.

 Sins unforgiven, Evil Jesus

-----BEGIN PGP SIGNATURE----- Version: 2.6ui (Amiga)

iQBFAgUBMFP6ho3j8jX6L7S9AQFwuQF/TruUbFYQ5LwSBOk1SkqUp9R8tycB4m5y
bgNZh5X0wVHU9ggx285ZUOdOcM+OeRGS =Mrqg -----END PGP SIGNATURE-----


I don`t know, that the virusprogrammer wanted to do with it. The xxx`s are
only there to stay CARO conform and not to mention a special pc av freak,
which will be mentioned inside the virus, too.


VIRUSWORKSHOP WILL ONLY RECOGNIZE THIS VIRUS ON 68020 AND HIGHER SYSTEMS,
BASED ON THE CODEEMULATION, WHICH IS SENSELESS ON 68000 !

[Go back]