========= Computer Virus Catalog 2.0: Infiltrator  (14.12.1993) =========
Entry...............: Infiltrator
Alias(es)...........: Klein Virus
Virus Strain........:
      detected when.:
              where.:
Classification......: Linkvirus, Extending, not reset-resident
Length of Virus.....: 1.Length (1052) on storage medium
                      2.Length (1752) in RAM

--------------------- Preconditions -------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: OS > 1.3
Computer model(s)...: All Amiga's without CPU-Cache
--------------------- Attributes ----------------------------------------
Easy identification.: -
Type of Infection...: Self-Identification method on disk:
                      Checking branch command at first codehunk of
                      infected File
                      Self-Identification method in memory:
                      Checking for a matchword ('1992') at hooked-
                      vector location -10
                      Executable File infection:
                      Extending first codehunk  by 1052 bytes
                      Memory-resident, hooking DOS-LOADSEG-Vector
                      Not reset-resident
                      Infection preconditions:
                      Disk valid
                      8 spare blocks free
                      Codehunk - Size <= 32752
                      Memory for infection available
                      HUNK_HEADER found
                      HUNK_CODE found
                      HUNK_RELOC32 found
                      JMP or JSR is not the first command
                      in the Codehunk
                      Original-Code is overwritten - but will be
                      restored and executed (virus restores the
                      original file, so that integrity-checks of the
                      executeable itself probably will fail)

Infection Trigger...: Executing file

Storage Media affec.: All media

Systemcalls hooked..: DOS-VEC LOADSEG

Stealth.............:
Tunneling/Selfprot..:
Oligo/Polymorphism..:
Encoding Method.....:
Damage..............: Transient Damage:
                      None
                      Permanent Damage:
                      Virus sets sysop-state to an user in the
                      USER.DATA file (containing the Userlist of
                      a BBS - System after a special crc-check on the
                      user name. (Maybe it is possible to find the
                      virus-author with this informations.)
                      Transient/Permanent damage:
                      Multiple Infections possible.
                      Some files won't run after infection.

Damage Trigger......: Executing (infected) file, using LOADSEG
                      (not NEWLOADSEG !)

Particularities.....: Virus is encrypted with random Value from
                      raster-beam.
                      Virus contains an encrypted string:
                      'Howdy hacker! This is The Infiltrator! Smart'
                      ' people with knowledge about this code can d'
                      'o ALOT of damage, belive me! ',0,0
                      (not displayed)
                      Virus performs a zeropage-check wich will cause
                      an Enforcer hit (if you run Enforcer).
                      Virus is able to reset the protection-flags of
                      executeables to writeable.

Similarities........: -

--------------------- Agents --------------------------------------------
Countermeasures.....: All
Standard means......: VT2.58

--------------------- Acknowledgements ----------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Soenke Freitag
Documentation by....: Soenke Freitag, Karim Senoucci
Date................: 14.12.1993
Information Source..: Reverse-analysis of Virus-Code, Heiner-Schneegold
========================== End of Infiltrator ===========================

[Go back]