------------------------
Amiga Virus Encyclopedia
Invader Virus
------------------------
-------------------------------------------------------------------------
Entry...............: Invader
Alias(es)...........: Silesian Virus
Virus Strain........: -
Virus detected when.: 1/1996
where.: Poland
Classification......: Link virus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: 1200+(0..72) Bytes
2. Length in RAM: $19000 or $d6b0 Bytes
(depends on the returncode of availmem() )
--------------------- Preconditions -------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)
The virus has problems with caches of all kind.
--------------------- Attributes ----------------------------------------
Easy Identification.: None
Type of infection...: Self-identification method in files:
- None
Self-identification method in memory:
- Checks for a word in the Dos Open() function
System infection:
- RAM resident, infects the followind DOS
functions
- Open()
- Rename()
- Lock()
- LoadSeg()
- NewLoadSeg()
- SetComment()
- SetProtection()
Infection preconditions:
- File is executable
Please note, that there is no check for a CODE
hunk or such things. The virus loads the to be
infected file, but forgets to do a real length
check. It seems as the virus cuts file just as
it wants to.
Example:
(Memoryalloaction is $19000)
Infecttry of xyz (=$2a000 bytes)
The infected file will be $19000+$4b0+0..72
bytes long and not repairable anymore.
Infection Trigger...: Accessing the volume
Storage media affected: all DOS-devices
Interrupts hooked...: No interrupts used
Damage..............: Permanent damage:
- Damages files, adds bytes, copies blocks.
Transient damage:
- The Virus writes a file with the name
"===README===" on the ramdisk. It contains
some text like "Get me you lamer..." etc.
Damage Trigger......: Permanent damage:
- Overwriting file contents in several places,
especially, when the files have more hunks.
Transient damage:
- Infection-Counter
Particularities.....: The memoryallocation operations are not cache-
proof and should make a lot of problems. The code
isn`t that professional written, the patch-
routines are very simply made. One important
counter is behind the first hunk, which isn`t
that clever. The data behind the first hunk can
be damaged in a serious way.
Similarities........: Link-method is like the one of infiltrator-virus.
Some ideas behind (search for DH0 and then try to
infect dh0:c/loadwb first) look like stolen from
the Commander linkvirus.
The change of the last command in the to be
infected hunk is a little bit buggy. Under
circumstances the last word in the hunk will
be changed, even if there is another important
information in it. The "RTS" locater doesn`t
look only for the last "RTS", it really looks for
all "RTS" in the STEP range.
Stealth.............: No stealth abilities at all. All can be seen on
the SnoopDos screen.
Armouring...........: No special armouring found in this virus.It just
uses somekind of encryption(depending on $dff006)
for it`s code, which is static.
--------------------- Agents -------------------------------------------
Countermeasures.....: VW 5.9, VT 2.80 (?)
Countermeasures successful: All of the above
Standard means......: -
--------------------- Acknowledgement ----------------------------------
Location............: (C) Hannover, Germany
Classification by...: Markus Schmall and Heiner Schneegold
Documentation by....: Markus Schmall
Date................: January, 16.01.1996.
Information Source..: Reverse engineering of original virus
Copyright...........: This document isn`t allowed to be used in any
form without my permission. It`s hereby allowed
for VTC Hamburg and Virus Help Team DK to use it.
===================== End of Invader Virus ============================
Antivirus...........: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III v1.04B or higher, and also Xvs.library v33.47 or higher
