-------------------------
Amiga Virus Encyclopedia
Metamorphosis (IRQ Clone)
-------------------------
======== Computer Virus Catalog 2.0: Metamorphosis (14.12.1993) ========
Entry...............: Metamorphosis
Alias(es)...........: Next Generation from Lamer-Exterminator
Virus Strain........: IRQ, Lamer
detected when.:
where.:
Classification......: System Virus (BootBlock) and Linkvirus (Extending)
Length of Virus.....: 1.Length (1024(Boot),1060(Link)) on storage medium
2.Length (1060) in RAM
--------------------- Preconditions -------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: OS 1.2, 1.3, 2.04, 3.0
Computer model(s)...: All Amiga's
--------------------- Attributes ----------------------------------------
Easy identification.: Text in files (readable with HexDump-facilities):
'METAMORPHOSIS V1.0- the next Generation from'
' LAMER-EXTERMINATOR ! ',10
Type of Infection...: Self-Identification methods on Disk/Link:
Checks for the MET.. string in files
Self-Identification methods on Disk/Boot:
None (overwrites any bootblock)
Self-Identification methods in Memory:
Checks for hooked OldOpenLib to point at
$7xxxx (absolute memory)
Executable File infection:
Appending codehunk to executeables in c: dir
Overwriting Bootblock
Ram-Resident
Reset-Resident (COOLCAPTURE/COLDCAPTURE)
Infection-preconditions/Link:
OldOpenLibrary-call
More than 2 Files in C: Directory
File smaller than 40000 Bytes
Disk not write-protected
Infection-preconditions/Boot:
Read-access on block 0 (DoIo)
Disk not write-protected
Infection Trigger...: Link: Opening "dos.library"
Boot: Reading Bootblock
Storage Media affec.: All Media
Systemcalls hooked..: COLDCAP, COOLCAP, DOIO, OLDOPENLIB
Stealth.............:
Tunneling/Selfprot..:
Oligo/Polymorphism..:
Encoding Method.....:
Damage..............: Permanent Damage:
Overwriting bootblock
Formatting floppys (headstep)
Transient Damage:
Flashing all disk lights after 13 infections
(some kind of warning for the author ???)
Transient/Permanent damage:
May overwrite block 0 (RDB) of the harddisk
due to no check for the device wich calles
the DoIo-function.
Due to not allocated memory areas the virus
may be overwritten by other programs or will
itself other programs, wich will probably
crash the System.
The virus will overwrite its own body
on link-infection if the File is larger
then 39840 and smaller then 40000 bytes due to
a calculation bug.
Damage Trigger......: counter, 13, 14 infections
Particularities.....: Virus copys itself to the absolute address of
$7fa80 link / $7fa72 boot
Infected files will be loaded at $75e40 absolute
Similarities........: Link-Infection-Routine is similar to the
IRQ-Virus, Damage similar to Lamer-Viruses
--------------------- Agents --------------------------------------------
Countermeasures.....: All
Standard means......: VT2.58
--------------------- Acknowledgements ----------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Soenke Freitag
Documentation by....: Soenke Freitag
Date................: 14.12.1993
Information Source..: Reverse-analysis of virus-code, Heiner Schneegold
========================= End of Metamorphosis ==========================
Antivirus...........: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III v1.04B or higher, and also Xvs.library v33.47 or higher
Ascii of Metamorphosis virus