------------------------
Amiga Virus Encyclopedia
Motaba-3 Link Virus
------------------------
------------------------------------------------------------------------
Entry...............: Motaba-3
Alias(es)...........: none
Virus Strain........: none
Virus detected when.: 6.2000
where.: Poland
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: c.a.880 Bytes
(uses very primitiv length polymorph)
2. Length in RAM: 4096 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS Version/Release..: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)
--------------------- Attributes ---------------------------------------
Easy Identification.: none
Type of infection...: Self-identification method in files:
- none (double infections are impossible)
Self-identification method in memory:
- none (double patching is impossible)
System infection:
- infects the following function:
Dos LoadSeg()
Infection preconditions:
- File is between 2048 and 100*1024 bytes
- Hunk Code is found
- File is not infected already
- device is validated
- device contains free blocks
Infection Trigger...: Accessing files via LoadSeg()
Files containing a ".l" or a "-" or "V" or "v"
will be not infected.
Storage media affected:
all DOS-devices
Interrupts hooked...: None
Damage..............: Permanent damage:
- none
Transient damage:
- none
Damage Trigger......: Permanent damage:
- none
Transient damage:
- none
Particularities.....: [See Stealth]
Similarities........: Link-method is first hunk increasing. The virus
replaces all jsr -552(a6) commands and one
other jsr -xx(a6) which will be hidden in virus.
Stealth.............: LoadSeg must be pointing to $fxxxxx or virus
will not patch it.
Open vector must be pointing to $fxxxxx to
perform infection.
The LoadSeg conatins special string to
confuse VirusZ that the patch is by crm.library
This could mean that this virus is quite old...
Armouring...........: very simply eor crypter, length of added code
is changing in small range and at the end of the
virus is more or less garabage.
Comments............: The virus contains the string:
'[Ask for more: motaba@xxxxxx.pl]'
This e-mail is fake/joke and belongs to
innocent person, so I`ve put xxxxxxx.
--------------------- Agents -------------------------------------------
Countermeasures.....: -
above Standard means......: -
--------------------- Acknowledgement ----------------------------------
Location............: Pawlowice, Poland 22.6.2000
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 22.6.2000
Information Source..: Virus disassembly
Copyright...........: This documentation is public domain
===================== End of Motaba3====================================
