Entry...............: Illegal Access
Alias(es)...........: -
VirusStrain........ : -
Virus detected when.: 7/1995
              where.: USA
Classification......: Link virus, memory-resident,
                      reset-resident Length of Virus.....:
                      1. Length on storage medium:  ca.4000 Bytes
                      2. Length in RAM:                4514 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+)
                                                      (for infection: V39+)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: None

Type of infection...: Self-identification method in files: 
                      -  Searches for $2c780004 in the first Hunk at first
                         position (normal file infection)

                      Self-identification method in memory:
                      -  Checks for exception vector 3 (Illegal Opcode)
                         and for $4afc in the OpenLibrary() funtion

                      System infection: 
                      -  RAM resident, infects the processsor exception
                         vector, modifies 19 different functions,
                         CoolCapture, ColdCapture and post mortem resident

                      Infection preconditions:
                       - File to be infected is bigger then $1800 bytes
                       - First hunk isn`t about 4000 bytes long and does
                         not contains $2c780004 at first long in it
                         (for normal file infections)
                       - The file is not already infected
                       - HUNK_HEADER and HUNK_CODE are found
                       - HUNK_HEADER structure is valid
                       - The longword 2-4 of the filename in the info-
                         structure multiplicated in this way:
                         m3*m2, m1*m3 (longword orientated, 68020++ command)
                         must be less then $320000. Otherwise it`s asked,
                         if the filelength is smaller than $32000 (=200kb)

Infection Trigger...: Accessing the volume
                        Storage media affected: all DOS-devices

Interrupts hooked...: The virus infects the processorexception 3 vector
                      (Illegal Opcode)

Damage..............: Permanent damage: 
                      - None
                      Transient damage: 
                      - none Damage Trigger......: Permanent damage:
                      - None
                      Transient damage: 
                      - None

Particularities.....: The crypt/decrypt routines are aware of processor 
                      caches and cleares them if necessary. This routines
                      are polymorphic and use several tricks like symmetric
                      decoding with memoryusage to make it a little bit more
                      difficult. Some of the routines are equal to routines
                      in the B.E.O.L. virus. The way of creating a new
                      process ("keyboard.device") using the stack is in my
                      eyes comparable. The linking method searches for
                      special filetypes (e.g. libraries and devices) and
                      infects them in a different way. This files will
                      get an additional entry in their HUNK_RELOC32 table
                      containing the original pointer to Library Init().
                      This library structure makes it impossible to use
                      a kind of intelligent searchcode for the virus. "Brute
                      force" code is needed to search for the resident

Similarities........: Link-method in library structured file is like the one
                      of infiltrator-virus (but optimized).
                      Link-method in normal executable files is the IRQ
                      typ (just another hunk)

Stealth.............: The viruses uses normal dos commands (no tunneling
                      via packets) and normal DOS call watchers like SnoopDos
                      can proof the infection behavior. The virus restores
                      both, fileprotect flags (including the user id !) and
                      the filedate, so that except of the filelength, no
                      difference can be seen. The exception handler uses a
                      special stealth technique to differ between a normal
                      exception and a self called. It checks up for "4AFC"
                      and , if found, it changes it to "4EF9", so nobody
                      will be able to find the real problem behind.

                      During daily work, the virus does not change in any way
                      the resetvectors from Exec. If a reset is performed, it
                      will shortly init the Coolcapture and ColdCaptures to
                      get resident. At the start of the new system (test for
                      "dos.library") all new initialized coolcapture and
                      coldcaptures will be removed again (-> post mortem

Armouring...........: The virus uses several armouring techniques to
                      confuse people while debugging this virus:
                      1. The virus uses double encryption with an
                         polymorphic engine
                      2. The virus is self-modifying in several bytes
                         (e.g. $4e71->$4e75)
                      3. The virus excessively uses the stack for
                         unusual operations like:
                         - creating processes 
                         - decrypting
                         - jumps
                         - pointer-replacement
                         - saving structures
                      4. The virus refuses to run in test-suites and
                         checks if it is running under normal 
                         conditions (system-files present)
                      5. Data-Reuse - the Virus uses several bytes
                         from within code with a completely other 
                         meaning, wich makes labeling impossible
                         (Using data from a code area)
                      6. Access to non equal code blocks as basis offset
                         for further work

--------------------- Agents -------------------------------------------

Countermeasures.....: VW5.7 ,VZII1.24
                      VT 2.77 and VC 7.18 (not libraries)
Countermeasuressuccessful: All of the above
Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Hannover, Germany 30.8.1995.
Classification by...: Markus Schmall, Georg Hoermann, Heiner Schneegold
                      and Soenke Freitag (VTC)
Documentation by....: Markus Schmall
Date................: August,30. 1995
Information Source..: Reverse engineering of original virus

============ End of Illegal Access Virus ========================

[Go back]