------------------------
Amiga Virus Encyclopedia
Elbereth 4 Virus
------------------------
------------------------------------------------------------------------
Entry...............: Elbereth 4
Alias(es)...........: -
Virus Strain........: Elbereth
Virus detected when.: 1996
where.: Poland
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: 1000 Bytes
(uses polimorphic engine)
2. Length in RAM: 2048 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS Version/Release..: 37+, except OS3.1
Computer model(s)...: all models/processors (MC68000-MC68060)
--------------------- Attributes ---------------------------------------
Easy Identification.: adds 100 years to filedates
Type of infection...: Self-identification method in files:
- via filedate
Self-identification method in memory:
- checks for $2f01 of first word of LoadSeg
System infection:
- patches LoadSeg
File infection:
Lenght of the first code hunk will be increased.
First found 'Bcc.w', 'JSR -xy(a6)' or JSR xxyy(pc)
will be replaced.
Infection preconditions:
- File is between 4000 and 265326 bytes
- Hunk Code is found
(also behind Hunk Debug)
- File is not infected already
- device is validated
- device contains free blocks
Infection Trigger...: Starting programs.
Files containing "V" or "v" will be not infected.
Storage media affected:
all DOS-devices
Interrupts hooked...: None
Damage..............: Permanent damage:
- reboot will be performed
Transient damage:
- none
Damage Trigger......: Permanent damage:
- after 20:00 and dt_DaysAfter is '0'
Transient damage:
- none
Particularities.....: Getting of original ROM address
of LoadSeg is buggy and fails
on OS3.1.
The undocumented code is:
move.l 4.w,a6
lea dosname(pc),a1
jsr -96(a6) ;FindResident(), exec
move.l d0,a0
move.l 60(a0),a0 ;dos vectors in ROM
move.w 50(a0),d0 ;LoadSeg offset
ext.l d0
add.l d0,a0
;a0 - address of LoadSeg() in ROM
; or pure crap
This is also the reason the other Elbereth
and NeuroticDeath viruses can't be removed
from memory on OS31. The original address
is a random number.
Similarities........: Link-method is first hunk increasing.
Stealth.............: Check for VW, VC and VZ_II in memory.
Armouring...........: The virus is crypted just with eor.
Comments............: The virus contains the string:
'== Elbereth 4 == © 1996 Poland'
--------------------- Acknowledgement ----------------------------------
Location............: Pawlowice, Poland 28.2.2001
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 28.2.2001
Information Source..: virus
Copyright...........: This documentation is public domain
===================== End of Elbereth 4 =================================
Antivirus removal...: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III, and also Xvs.library must be installed
☣ |
Virum Help Team Denmark & Canada Copyright © All rights reserved www.vht.dk |
☣ |
| |