--------------------------
Amiga Virus Encyclopedia
Ebola Virus (Alias: E1116)
--------------------------
------------------------------------------------------------------------
Entry...............: Ebola Virus
Alias(es)...........: E1116 (to stay CAROconform)
Virus Strain........: -
Virus detected when.: 9/1995
where.: Germany
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: 1116 Bytes
2. Length in RAM: 3300 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS Version/Release..: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)
--------------------- Attributes ---------------------------------------
Easy Identification.: none
Type of infection...: Self-identification method in files:
- Searches for $ab1590ef at the end of the first
Hunk.
Self-identification method in memory:
- Checks for $213f at offset -2 of the loadseg()
function
System infection:
- non RAM resident, infects the following functions:
Dos LoadSeg(), Exec FindTask() and Exec
OpenResource()
Infection preconditions:
- File to be infected is bigger then 2500 bytes and
smaller then 130000 bytes
- First hunk contains a $4eaexxxx command in the 16
bit range to the end of the file (test for the
first entry)
- the file is not already infected (the at long of
the end of the hunk)
- HUNK_HEADER and HUNK_CODE are found
Infection Trigger...: Accessing files via LoadSeg()
Storage media affected: all DOS-devices
Interrupts hooked...: None
Damage..............: Permanent damage:
- None
Transient damage:
- none
Damage Trigger......: Permanent damage:
- None
Transient damage:
- None
Particularities.....: The crypt/decrypt routines are partly aware of
processor
caches. The cryptroutine are non polymorphic and only
consists of some logical stuff. The virus uses some
simple retro technics to stop viruskillers searching
for Draco and possible for the HochOfen (Trabbi) Virus.
Similarities........: Link-method is comparable to the method invented with
the infiltrator-virus
Stealth.............: No stealth abilities
Armouring...........: The virus uses only a single armouring technique to
confuse people. It only crypts it`s code based on the
position of the rasterbeam.
Comments............: The name EBOLA is the name of a virus, which humans
can get infected with. CARO rules say, that no names
of persons etc. may be used to call a virus, but I
spoke to other persons and they already recognized
this virus in this way.
--------------------- Agents -------------------------------------------------
Countermeasures.....: VW5.5 and VT 2.76 Countermeasures successful: All of the
above Standard means......: -
--------------------- Acknowledgement -----------------------------------------
Location............: Hannover, Germany 03.09.1995.
Classification by...: Markus Schmall and Heiner Schneegold
Documentation by....: Markus Schmall (C)
Date................: September,03. 1995
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
in any SHI publication
========================== End of EBOLA Virus ================================
Antivirus removal...: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
