LZ Link Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM
 



------------------------
Amiga Virus Encyclopedia
LZ Link Virus
------------------------

     
=========== Computer Virus Catalog 2.0: LZ_Link  (14.12.1993) ===========
Entry...............: LZ_Link
Alias(es)...........: -
Virus Strain........:
      detected when.:
              where.:
Classification......: Not reset-resident Link-Virus (ext. Hunk-length)
Length of Virus.....: 1.Length (400) on storage medium
                      2.Length (400) in RAM

--------------------- Preconditions -------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: DOS-V33/34, KICK 1.2 / 1.3
Computer model(s)...: A500,A1000,A2000,A2500
--------------------- Attributes ----------------------------------------
Easy identification.: none-
Type of Infection...: Self-Identification methods on Disk:
                      None (multiple links possible)
                      Self-Identification methods in Memory:
                      Checks Globalvec Write for ROM-call
                      Executable File infection:
                      Extending Hunk-Length, only able to infect
                      files with two Hunks correctly.
                      Searches for RTS (Return from Sobroutine)
                      command and substitutes this with a branch
                      to the Virus-entry point. (hiding Virus-entry
                      point.)
                      not Reset-resident, RAM-Resident,
                      hooks Globalvec 06=Write of DOS-Base
                      Infects on File-Modification like copy
                      (slow-Infector)

                      Infection-Preconditions:
                      - No residents/overlays to load
                      - File executeable ($3e9 found)
                      - CODE-HUNK length > 1000 Bytes
                      - First Codehunk does not contain JMP-cmds
                      in the last 51 Words (beeing a Library for Ex.)

Infection Trigger...: - Writing Executeable file (Copy, Compile)

Storage Media affec.: All media

Systemcalls hooked..: DOS-GLOBALVEC 06 WRITE (Internal vec.)

Stealth.............:
Tunneling/Selfprot..:
Oligo/Polymorphism..:
Encoding Method.....:
Damage..............: Permanent Damage: none
                      Transient Damage: none
                      Transient/Permanent damage: Some infected files
                      will not run due to a bug in the infection routine.
                      Multiple-Links are possible

Damage Trigger......: -
Particularities.....: Very compact code including a complete Link-Virus
                      within only 400 Bytes.
                      Name of this virus is generated due to rumors
                      that it is dropped by a lz-archiver.
Similarities........: -
--------------------- Agents --------------------------------------------
Countermeasures.....: all of the above
Standard means......: VT2.58
--------------------- Acknowledgements ----------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Soenke Freitag
Documentation by....: Soenke Freitag
Date................: 14.12.1993
Infÿrýction Source..: Reverce
Analycic of Virus-Code, Heiner Schneegold
============================ End of LZ_Link =============================

Antivirus...........: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
                      Kickstart all others: VirusZ III v1.04B or higher, and also Xvs.library v33.47 or higher
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk