======= Computer Virus Catalog 1.2: CRIME'92 Virus (31-July-1993) ======
Entry...............: Crime'92 Virus
Alias(es)...........: Crime'92 A,B,C,D Virus (different generations of
                                              same polymorphic virus)
Virus Strain........: ---
Virus detected when.: ---
              where.: ---
Classification......: Memory resident Link Virus (Extending),Polymorphic
Length of Virus.....: 1.Length: 1800 Byte on storage medium
                      2.Length: 4028 Byte in RAM
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: 1.2/1.3/2.04/3.0
Computer model(s)...: ALL AMIGAs
--------------------- Attributes ---------------------------------------
Easy Identification.: String "Crime'92" is readable in RAM
Type of infection...: Self-Identification methods:
                         Memory: Checks for String "Crime'92"
                            at $204(Coolcapture). Reset resident.
                         Disk: Not really a Self-Identification, but
                             virus won't infect Files with instruction
                             movem d0-d7/a0-a6,-(SP) = $48e7
                             at specified location.
                         Executable File infection: extending files
                             by 1800 bytes at load time.
                         Preconditions: infection occurs if:
                             1) Disk is validated ("R"),
                             2) 8 blocks free on Disk,
                             3) File length < 102400($19000) Bytes,
                             4) File can be read into memory,
                             5) First Hunk is HUNK_HEADER,
                             6) HUNK_CODE found,
                             7) MOVEM-opcode ($48e7) is not found,
                             8) RTS-opcode found in hunk.
                          System infection: RAM- and Reset-Resident.
                             Virus can infect system libraries and almost
                             any file containing executable code matching
                             infection-preconditions, even printer
                             drivers.
                          Vectors hooked up to Kick1.3 (incl.):
                             ColdCapture (exec.library)
                             CoolCapture (exec.library)
                             Wait        (exec.library)
                             $2e         (dos.library) - Rom-Ptr,private
                          Vectors hooked from Kick2.0 above:
                             CoolCapture (exec.library)
                             Wait        (exec.library)
                             LoadSeg     (dos.library)
                             NewLoadSeg  (dos.library)
Infection Trigger...: Running any program from CLI and random condition
Storage media affected: All disk-like devices
Interrupts hooked...: ---
Damage..............: Permanent Damage: Overwriting random sectors
                      Transient Damage: None
                      Transient/Permanent damage: Due to some bugs,
                         virus may produce divide by zero errors on
                         startup of an infected program. During reset,
                         virus overwrites a random memory longword with
                         zero which may cause dead-end resets.
Damage Trigger......: Random and counter combination.
Particularities.....: Due to self-modifying (polymorphic) code, virus
                         won't run with processor chaches.
Polymorphism........: Virus is polymorphic in its encryption routine
                         which makes its detection with simple search-
                         strings impossible; presently, no antivirus
                         detects Crime'92 reliably! Virus may only be
                         detected reliably with algorithmic methods.
                      Several reported "variants" of Crime'92 (A-D) are
                         just different polymorphic generations.
Similarities........: ---
--------------------- Agents ------------------------------------------
Countermeasures.....: VT2.55
Countermeasures successful: No Virus-Checker detects all generations
                            of this Virus (status: July 1993). Update:
                            VT2.55 detects most(all?) variants (we sent
                            all generated variants to the author)
Standard means......: Boot from clean diskette and overwrite all sus-
                         picious executables with original clean ones.
--------------------- Acknowledgement ----------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Soenke Freitag
Documentation by....: Soenke Freitag
Date................: 31-July-1993
Information Source..: H.Schneegold, SHI, Reverse-analysis of virus code
===================== End of Crime'92 Virus ============================

[Go back]