------------------------
Amiga Virus Encyclopedia
Cryptic Essence Virus
------------------------
------------------------------------------------------------------------
Entry...............: Cryptic Essence
Alias(es)...........: Evil Jesus #3
Virus Strain........: -
Virus detected when.: 9/1995
where.: Denmark Classification......: Link virus,
memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: none
2. Length in RAM: $97c bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS Version/Release..: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)
--------------------- Attributes ---------------------------------------
Easy Identification.: None
Type of infection...: Self-identification method in files:
- None. Double infections are possible but mostly
result in dead samples. Tested on CVMODE as
testinfect file.
Self-identification method in memory:
- None
System infection:
- RAM resident, infects the DOS Write() function
Infection preconditions:
- File to be infected is bigger then 9276 bytes
- First hunk is a normal code hunk without
memory extentsion (=$3e9)
- This hunk must be bigger than 9276 bytes
- First word in this hunk is not:
- $4afc (ILLEGAL)
- $4e75
- Second word in this hunk is not:
- $4afc (ILLEGAL)
- $4e75
Infection Trigger...: Accessing the volume (by writing)
A normal COPY is not suitable, because COPY divides
longer files in little chunks and at this chunks,
the virus mostly cannot work correctly.
Storage media affected: all DOS-devices
Interrupts hooked...: None
Damage..............: Permanent damage:
- Changes data in files randomly. Not repairable
Transient damage:
- none
Damage Trigger......: Permanent damage:
- Counter reaches 0
Transient damage:
- None
Particularities.....: The crypt routines are not aware of processor caches
and have serious problem at some places. It can come
to wrong decoding and such stuff. The linkmethod is
new for the AMIGA computer series and is called on
PC Cavity linkviruses. There is no modification to
the relochunks needed to repair the file from the
virus.
In the virus there is found a comment to a wellknown
PC antivirus researcher and to a essey written by
this guy, which was obviously used from the virus-
programmer(s) as basis.
Similarities........: Cavity linkviruses on PC (such families have been
e.g. seen in the Netherlands). Packroutine is stolen
from the xpk distribution. The way of linking is
completly new for the AMIGA at this time (9/95).
Stealth.............: The viruses uses normal dos commands (no tunneling
via packets) and normal DOS call watchers like SnoopDos
can proof the infection behavior. The virus does not
restore fileprotect flags and the filedate, so that
this can be a proofal for a possible infection. The
filelength does not change. No new hunk will be added.
Using the RCH technic the virus searches a place
where to put it`s own code and crunches the existing
data at first. The can`t be found based on a normal
offset location search.
Armouring...........: The virus uses several armouring techniques to
confuse people while debugging this virus:
1. The virus uses double encryption with an
polymorphic engine (SPe)
2. The virus is flexible programmed and uses
nearly no hardcoded values
3. Write() vector patch uses a polymorphism
to cheat some not flexible av-software
4. Polymorphism at entry jump to irritate the
av software
--------------------- Agents -------------------------------------------
Countermeasures.....: VT 2.77, VW 5.6
Countermeasures successful: All of the above
Standard means......: -
--------------------- Acknowledgement ----------------------------------
Location............: Hannover, Germany 28.9.1995.
Classification by...: Markus Schmall, Georg Hoermann and Heiner Schneegold
Documentation by....: Markus Schmall
Date................: September,28. 1995
Information Source..: Reverse engineering of original virus
Special.............: Some parts of this analyse have been shorted/cutted
not to show the public too much information about
things like RCH and SPe.
===================== End of Cryptic Essence Virus ======================
It`s surprising that the virus seems to be uploaded from the auhtor including
FULL source at a danish AV board. The author included even a little text:
-----BEGIN PGP SIGNED MESSAGE-----
-=* Cryptic Essence, (c) 1995 Evil Jesus (maximum false positive) *=-
Extra thanks for xxxxxxxx xxxxxxxxx giving some valueable information
how to reach maximum damage in essee 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'.
It really inspired me to write C.E.!
- Generalized infection scheme, virus itself will not use any strings
to avoid reinfecting same file. This should make it very hard to
detect and also gives possibility to change visible decrypting code.
- Random damage, impossible to repair.
- Source code is easily modifable to use different packers and crypters.
If you are interested about that particular essee you can write to
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Sins unforgiven, Evil Jesus
-----BEGIN PGP SIGNATURE----- Version: 2.6ui (Amiga)
iQBFAgUBMFP6ho3j8jX6L7S9AQFwuQF/TruUbFYQ5LwSBOk1SkqUp9R8tycB4m5y
bgNZh5X0wVHU9ggx285ZUOdOcM+OeRGS =Mrqg -----END PGP SIGNATURE-----
I don`t know, that the virusprogrammer wanted to do with it. The xxx`s are
only there to stay CARO conform and not to mention a special pc av freak,
which will be mentioned inside the virus, too.
VIRUSWORKSHOP WILL ONLY RECOGNIZE THIS VIRUS ON 68020 AND HIGHER SYSTEMS,
BASED ON THE CODEEMULATION, WHICH IS SENSELESS ON 68000 !
Antivirus removal : Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
Test made by Markus Schmall
