Entry...............: Elbereth3
Alias(es)...........: -
Virus Strain........: Elbereth
Virus detected when.: 1996
              where.: Poland
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:          900 Bytes
                      (uses polimorphic engine)
                      2. Length in RAM:                    2048 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release..: 37+, except OS3.1
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: adds 100 years to filedate

Type of infection...: Self-identification method in files:

                      - via filedate

                      Self-identification method in memory:

                      - checks for $2f01 of first word of LoadSeg

                      System infection:

                      - patches LoadSeg and NewLoadSeg

                      File infection:

                      Lenght of the first code hunk will be increased.
                      First found 'Bcc.w', 'JSR -xy(a6)' or JSR xxyy(pc)
                      will be replaced.

                      Infection preconditions:

                      - File is between 1800 and 265326 bytes
                      - Hunk Code is found
                      - File is not infected already
                      - device is validated
                      - device contains free blocks

Infection Trigger...: Starting programs.
                      Files containing "V" or "v" will be not infected.

Storage media affected:
                      all DOS-devices

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - an alert will be shown and then reboot will be
                        performed
                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - after 20:00 and dt_DaysAfter is '0'
                      Transient damage:
                      - none

Particularities.....: Getting of original ROM address
                      of LoadSeg is buggy and fails
                      on OS3.1.

                      The undocumented code is:

                      move.l  4.w,a6
                      lea     dosname(pc),a1
                      jsr     -96(a6)        ;FindResident(), exec
                      move.l  d0,a0
                      move.l  60(a0),a0      ;dos vectors in ROM
                      move.w  50(a0),d0      ;LoadSeg offset
                      ext.l   d0
                      add.l   d0,a0
                      ;a0 - address of LoadSeg() in ROM
                      ;     or pure crap

                      This is also the reason the other Elbereth
                      and NeuroticDeath viruses can't be removed
                      from memory on OS31. The original address
                      is a random number.

Similarities........: Link-method is first hunk increasing.

Stealth.............: None.

Armouring...........: The virus is crypted just with eor.

Comments............: The virus contains the string:
                      '== Elbereth 3 ==     1996 Poland'
                      This is also the alert text.

--------------------- Acknowledgement ----------------------------------

Location............: Pawlowice, Poland  28.2.2001
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 28.2.2001
Information Source..: virus
Copyright...........: This documentation is public domain

===================== End of Elbereth3 =================================

[Go back]