Entry...............: Ebola Virus
Alias(es)...........: E1116 (to stay CAROconform)
Virus Strain........: -
Virus detected when.: 9/1995
              where.: Germany
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:     1116 Bytes
                      2. Length in RAM:                3300 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: none

Type of infection...: Self-identification method in files: 
                      -  Searches for $ab1590ef at the end of the first Hunk.

                      Self-identification method in memory:
                      -  Checks for $213f at offset -2 of the loadseg()
                         function


                      System infection: 
                      -  non RAM resident, infects the following functions:
                         Dos LoadSeg(), Exec FindTask() and Exec
OpenResource()


                      Infection preconditions:
                       - File to be infected is bigger then 2500 bytes and
                         smaller then 130000 bytes
                       - First hunk contains a $4eaexxxx command in the 16
                         bit range to the end of the file (test for the first
                         entry)
                       - the file is not already infected (the at long of the
                         end of the hunk)
                       - HUNK_HEADER and HUNK_CODE are found



Infection Trigger...: Accessing files via LoadSeg()
Storage media affected: all DOS-devices

Interrupts hooked...: None


Damage..............: Permanent damage: 
                      - None
                      Transient damage: 
                      - none
Damage Trigger......: Permanent damage:
                      - None
                      Transient damage: 
                      - None

Particularities.....: The crypt/decrypt routines are partly aware of
processor
                      caches. The cryptroutine are non polymorphic and only
                      consists of some logical stuff. The virus uses some
                      simple retro technics to stop viruskillers searching
                      for Draco and possible for the HochOfen (Trabbi) Virus.


Similarities........: Link-method is comparable to the method invented with
                      the infiltrator-virus

Stealth.............: No stealth abilities

Armouring...........: The virus uses only a single armouring technique to
                      confuse people. It only crypts it`s code based on the
                      position of the rasterbeam.

Comments............: The name EBOLA is the name of a virus, which humans
                      can get infected with. CARO rules say, that no names
                      of persons etc. may be used to call a virus, but I
                      spoke to other persons and they already recognized
                      this virus in this way.


--------------------- Agents -------------------------------------------

Countermeasures.....: VW5.5 and VT 2.76 Countermeasures successful: All of the
above Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Hannover, Germany 03.09.1995.
Classification by...: Markus Schmall and Heiner Schneegold
Documentation by....: Markus Schmall (C)
Date................: September,03. 1995
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
                      in any SHI publication

===================== End of EBOLA Virus =========================

[Go back]