Dark Avenger Type A Virus - Amiga Virus Encyclopedia
VIRUS HELP TEAM
-------------------------
Amiga Virus Encyclopedia
Dark Avenger Type A Virus
-------------------------
==== Computer Virus Catalog 2.0: Dark Avenger (Type A) (14.12.19993) ====
Entry...............: Dark Avenger (Type A)
Alias(es)...........:
Virus Strain........: Infiltrator
detected when.:
where.:
Classification......: Linkvirus, Extending, not reset-resident
Length of Virus.....: 1.Length (1128) on storage medium
2.Length (2000) in RAM
--------------------- Preconditions -------------------------------------
Operating SystEm(s).* AMIGA-DOS
Version/Release.....: OS > 1.3 (will probably crash under 1.3/1.2)
Computer ýoäel(s)¸.¾: All Amiga's without A@U-Cache
--------------------- Attributes ----------------------------------------
Easy identification.: -
Type of Infection...: Self-Identification method on disk:
Checking branch command at first codehunk of
infected File
Self-Identification method in memory:
Checking for a matchword ($A0A1) at hooked-
vector location -2
Executable File infection:
extending file by 1128 bytes
Memory-resident, hooking DOS-Open-Vector
Not reset-resident
Infection preconditions:
Disk valid
8 spare blocks free
Filesize <= 100000
Filesize >= 2000
Codehunk - Size <= 32752
Memory for infection available
HUNK_HEADER found
HUNK_CODE found
HUNK_RELOC32 found
101500 Bytes of Memory allocatable
JMP or JSR is not the first command
in the Codehunk
Original-Code is overwritten - but will be
restored and executed (virus restores the
original file, so that integrity-checks of the
executeable itself probably will fail)
Infection Trigger...: Opening executeable file
Storage Media affec.: All media
Systemcalls hooked..: DOS-VEC OPEN
Stealth.............:
Tunneling/Selfprot..:
Oligo/Polymorphism..:
Encoding Method.....:
Damage..............: Transient Damage:
Sets the current Windowtitle to
' -=- The Dark Avenger -=-',0
Transient/Permanent damage:
Can't handle all DOS-Requests correctly
Crashes the System on some requests
May "Infect" data-files matching to te
infection preconditions
Some files won't run after infection.
Damage Trigger......: Random (Rasterbeam on startup of infected file)
Particularities.....: No Memory available on virus startup ->
virus executes its code in not allocated area
may cause a crash after quitting the infected
program.
Virus "trys" to work with lower operating-System
versions - but the routine for that will probably
almost always crash.
Virus is encrypted with random Value from
raster-beam.
The programmer of this Virus has very poor
programming abilities, his System very surely
runs under OS2.04
Similarities........: Most parts are similar to the Infiltrator-Virus
--------------------- Agents --------------------------------------------
Countermeasures.....: All
Standard means......: VT2.58
--------------------- Acknowledgements ----------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Soenke Freitag
Documentation by....: Soenke Freitag
Date................: 14.12.1993
Information Source..: Reverse-analysis of Virus-Code, Heiner-Schneegold
===================== End of Dark Avenger (Type A) ======================
Antivirus removal...: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
