------------------------
Amiga Virus Encyclopedia
Illegal Access Virus
------------------------
---------------------------------------------------------------------------
Entry...............: Illegal Access
Alias(es)...........: -
VirusStrain........ : -
Virus detected when.: 7/1995
where.: USA
Classification......: Link virus, memory-resident,
reset-resident Length of Virus.....:
1. Length on storage medium: ca.4000 Bytes
2. Length in RAM: 4514 Bytes
--------------------- Preconditions ---------------------------------------
Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+)
(for infection: V39+)
Computer model(s)...: all models/processors (MC68000-MC68060)
--------------------- Attributes ------------------------------------------
Easy Identification.: None
Type of infection...: Self-identification method in files:
- Searches for $2c780004 in the first Hunk at first
position (normal file infection)
Self-identification method in memory:
- Checks for exception vector 3 (Illegal Opcode)
and for $4afc in the OpenLibrary() funtion
System infection:
- RAM resident, infects the processsor exception
vector, modifies 19 different functions,
CoolCapture, ColdCapture and post mortem resident
handler
Infection preconditions:
- File to be infected is bigger then $1800 bytes
- First hunk isn`t about 4000 bytes long and does
not contains $2c780004 at first long in it
(for normal file infections)
- The file is not already infected
- HUNK_HEADER and HUNK_CODE are found
- HUNK_HEADER structure is valid
- The longword 2-4 of the filename in the info-
structure multiplicated in this way:
m3*m2, m1*m3 (longword orientated, 68020++ command)
must be less then $320000. Otherwise it`s asked,
if the filelength is smaller than $32000 (=200kb)
Infection Trigger...: Accessing the volume
Storage media affected: all DOS-devices
Interrupts hooked...: The virus infects the processorexception 3 vector
(Illegal Opcode)
Damage..............: Permanent damage:
- None
Transient damage:
- none Damage Trigger......: Permanent damage:
- None
Transient damage:
- None
Particularities.....: The crypt/decrypt routines are aware of processor
caches and cleares them if necessary. This routines
are polymorphic and use several tricks like symmetric
decoding with memoryusage to make it a little bit more
difficult. Some of the routines are equal to routines
in the B.E.O.L. virus. The way of creating a new
process ("keyboard.device") using the stack is in my
eyes comparable. The linking method searches for
special filetypes (e.g. libraries and devices) and
infects them in a different way. This files will
get an additional entry in their HUNK_RELOC32 table
containing the original pointer to Library Init().
This library structure makes it impossible to use
a kind of intelligent searchcode for the virus. "Brute
force" code is needed to search for the resident
structure.
Similarities........: Link-method in library structured file is like the one
of infiltrator-virus (but optimized).
Link-method in normal executable files is the IRQ
typ (just another hunk)
Stealth.............: The viruses uses normal dos commands (no tunneling
via packets) and normal DOS call watchers like SnoopDos
can proof the infection behavior. The virus restores
both, fileprotect flags (including the user id !) and
the filedate, so that except of the filelength, no
difference can be seen. The exception handler uses a
special stealth technique to differ between a normal
exception and a self called. It checks up for "4AFC"
and , if found, it changes it to "4EF9", so nobody
will be able to find the real problem behind.
During daily work, the virus does not change in any way
the resetvectors from Exec. If a reset is performed, it
will shortly init the Coolcapture and ColdCaptures to
get resident. At the start of the new system (test for
"dos.library") all new initialized coolcapture and
coldcaptures will be removed again (-> post mortem
handling)
Armouring...........: The virus uses several armouring techniques to
confuse people while debugging this virus:
1. The virus uses double encryption with an
polymorphic engine
2. The virus is self-modifying in several bytes
(e.g. $4e71->$4e75)
3. The virus excessively uses the stack for
unusual operations like:
- creating processes
- decrypting
- jumps
- pointer-replacement
- saving structures
4. The virus refuses to run in test-suites and
checks if it is running under normal
conditions (system-files present)
5. Data-Reuse - the Virus uses several bytes
from within code with a completely other
meaning, wich makes labeling impossible
(Using data from a code area)
6. Access to non equal code blocks as basis offset
for further work
--------------------- Agents -------------------------------------------
Countermeasures.....: VW5.7 ,VZII1.24
VT 2.77 and VC 7.18 (not libraries)
Countermeasuressuccessful: All of the above
Standard means......: -
--------------------- Acknowledgement ----------------------------------
Location............: Hannover, Germany 30.8.1995.
Classification by...: Markus Schmall, Georg Hoermann, Heiner Schneegold
and Soenke Freitag (VTC)
Documentation by....: Markus Schmall
Date................: August,30. 1995
Information Source..: Reverse engineering of original virus
============ End of Illegal Access Virus ========================
Antivirus...........: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III v1.04B or higher, and also Xvs.library v33.47 or higher
