------------------------
Amiga Virus Encyclopedia
Infiltrator Virus
------------------------
========= Computer Virus Catalog 2.0: Infiltrator (14.12.1993) =========
Entry...............: Infiltrator
Alias(es)...........: Klein Virus
Virus Strain........:
detected when.:
where.:
Classification......: Linkvirus, Extending, not reset-resident
Length of Virus.....: 1.Length (1052) on storage medium
2.Length (1752) in RAM
--------------------- Preconditions -------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: OS > 1.3
Computer model(s)...: All Amiga's without CPU-Cache
--------------------- Attributes ----------------------------------------
Easy identification.: -
Type of Infection...: Self-Identification method on disk:
Checking branch command at first codehunk of
infected File
Self-Identification method in memory:
Checking for a matchword ('1992') at hooked-
vector location -10
Executable File infection:
Extending first codehunk by 1052 bytes
Memory-resident, hooking DOS-LOADSEG-Vector
Not reset-resident
Infection preconditions:
Disk valid
8 spare blocks free
Codehunk - Size <= 32752
Memory for infection available
HUNK_HEADER found
HUNK_CODE found
HUNK_RELOC32 found
JMP or JSR is not the first command
in the Codehunk
Original-Code is overwritten - but will be
restored and executed (virus restores the
original file, so that integrity-checks of the
executeable itself probably will fail)
Infection Trigger...: Executing file
Storage Media affec.: All media
Systemcalls hooked..: DOS-VEC LOADSEG
Stealth.............:
Tunneling/Selfprot..:
Oligo/Polymorphism..:
Encoding Method.....:
Damage..............: Transient Damage:
None
Permanent Damage:
Virus sets sysop-state to an user in the
USER.DATA file (containing the Userlist of
a BBS - System after a special crc-check on the
user name. (Maybe it is possible to find the
virus-author with this informations.)
Transient/Permanent damage:
Multiple Infections possible.
Some files won't run after infection.
Damage Trigger......: Executing (infected) file, using LOADSEG
(not NEWLOADSEG !)
Particularities.....: Virus is encrypted with random Value from
raster-beam.
Virus contains an encrypted string:
'Howdy hacker! This is The Infiltrator! Smart'
' people with knowledge about this code can d'
'o ALOT of damage, belive me! ',0,0
(not displayed)
Virus performs a zeropage-check wich will cause
an Enforcer hit (if you run Enforcer).
Virus is able to reset the protection-flags of
executeables to writeable.
Similarities........: -
--------------------- Agents --------------------------------------------
Countermeasures.....: All
Standard means......: VT2.58
--------------------- Acknowledgements ----------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Soenke Freitag
Documentation by....: Soenke Freitag, Karim Senoucci
Date................: 14.12.1993
Information Source..: Reverse-analysis of Virus-Code, Heiner-Schneegold
========================== End of Infiltrator ===========================
Antivirus...........: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III v1.04B or higher, and also Xvs.library v33.47 or higher
