------------------------
Amiga Virus Encyclopedia
Crime '92 Virus
------------------------
======= Computer Virus Catalog 1.2: CRIME'92 Virus (31-July-1993) ======
Entry...............: Crime'92 Virus
Alias(es)...........: Crime'92 A,B,C,D Virus (different generations of
same polymorphic virus)
Virus Strain........: ---
Virus detected when.: ---
where.: ---
Classification......: Memory resident Link Virus (Extending),Polymorphic
Length of Virus.....: 1.Length: 1800 Byte on storage medium
2.Length: 4028 Byte in RAM
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: 1.2/1.3/2.04/3.0
Computer model(s)...: ALL AMIGAs
--------------------- Attributes ---------------------------------------
Easy Identification.: String "Crime'92" is readable in RAM
Type of infection...: Self-Identification methods:
Memory: Checks for String "Crime'92"
at $204(Coolcapture). Reset resident.
Disk: Not really a Self-Identification, but
virus won't infect Files with instruction
movem d0-d7/a0-a6,-(SP) = $48e7
at specified location.
Executable File infection: extending files
by 1800 bytes at load time.
Preconditions: infection occurs if:
1) Disk is validated ("R"),
2) 8 blocks free on Disk,
3) File length < 102400($19000) Bytes,
4) File can be read into memory,
5) First Hunk is HUNK_HEADER,
6) HUNK_CODE found,
7) MOVEM-opcode ($48e7) is not found,
8) RTS-opcode found in hunk.
System infection: RAM- and Reset-Resident.
Virus can infect system libraries and almost
any file containing executable code matching
infection-preconditions, even printer
drivers.
Vectors hooked up to Kick1.3 (incl.):
ColdCapture (exec.library)
CoolCapture (exec.library)
Wait (exec.library)
$2e (dos.library) - Rom-Ptr,private
Vectors hooked from Kick2.0 above:
CoolCapture (exec.library)
Wait (exec.library)
LoadSeg (dos.library)
NewLoadSeg (dos.library)
Infection Trigger...: Running any program from CLI and random condition
Storage media affected: All disk-like devices
Interrupts hooked...: ---
Damage..............: Permanent Damage: Overwriting random sectors
Transient Damage: None
Transient/Permanent damage: Due to some bugs,
virus may produce divide by zero errors on
startup of an infected program. During reset,
virus overwrites a random memory longword with
zero which may cause dead-end resets.
Damage Trigger......: Random and counter combination.
Particularities.....: Due to self-modifying (polymorphic) code, virus
won't run with processor chaches.
Polymorphism........: Virus is polymorphic in its encryption routine
which makes its detection with simple search-
strings impossible; presently, no antivirus
detects Crime'92 reliably! Virus may only be
detected reliably with algorithmic methods.
Several reported "variants" of Crime'92 (A-D) are
just different polymorphic generations.
Similarities........: ---
--------------------- Agents ------------------------------------------
Countermeasures.....: VT2.55
Countermeasures
successful: No Virus-Checker detects all generations
of this Virus (status: July 1993). Update:
VT2.55 detects most(all?) variants (we sent
all generated variants to the author)
Standard means......: Boot from clean diskette and overwrite all sus-
picious executables with original clean ones.
--------------------- Acknowledgement ----------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Soenke Freitag
Documentation by....: Soenke Freitag
Date................: 31-July-1993
Information Source..: H.Schneegold, SHI, Reverse-analysis of virus code
===================== End of Crime'92 Virus ============================
Antivirus removal : Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III, and also Xvs.library must be installed
