------------------------
Amiga Virus Encyclopedia
Mutation Nation Virus
------------------------
---------------------------------------------------------------------------
Entry...............: Mutation Nation
Alias(es)...........: none
Virus Strain........: Ebola series (Ebola, BBS traveller, Strange At.)
Virus detected when.: 21.05.1996
where.: Germany
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: 1316 Bytes
(uses a primitiv polymorphic technic)
2. Length in RAM: $ba8 Bytes
--------------------- Preconditions ---------------------------------------
Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)
--------------------- Attributes ------------------------------------------
Easy Identification.: none
Type of infection...: Self-identification method in files:
- searching for DEADC0DE at the end of the
first hunk
Self-identification method in memory:
- 213f at the LoadSeg entry (like EBola?)
System infection:
- infects the following functions:
Dos LoadSeg(), Exec FindTask()
Infection preconditions:
- File is between $7d0 and $43e90 bytes long
- HUnk Code is found (virus overruns $3e8 etc. hunks)
- File is not infected already
- device is validated
- device contains free blocks
Infection Trigger...: Accessing files via LoadSeg()
Files containing a "." or a "-" and then at offset
2 one of this characters "aen" will be not
infected.
Storage media affected:
all DOS-devices
Interrupts hooked...: None
Damage..............: Permanent damage:
- none
Transient damage:
- Reset
Damage Trigger......: Permanent damage:
- none
Transient damage:
- Counter reaches $14
Particularities.....: The crypt/decrypt routines are partly aware of processor
caches. The cryptroutine are non polymorphic and only
consists of some logical stuff at the use of registers.
Similarities........: Link-method is comparable to the method invented with
the infiltrator-virus. Like in a lot of trojan it will
be searched for a special task ("Dupe"). If this one is
found, the virus will be not activated. Probably this
is somekind of security backdoor for the programmer.
Stealth.............: no stealth functions found
The virus does not work with SnoopDos (1,2,3) started
Fileflags will be restored, but length will be visible
changed.
Armouring...........: The virus uses only a single armouring technique to
confuse people. It only crypts it`s code and uses
a very simple register polymorphism code. The heuristic
scanner of VirusWorkshop 6.1 isn`t able to detect this
virus. The heuristic in VW6.2 is able to break the
cryptcode.
Comments............: We recieved this file from a sysop in the south of
Germany. As it has a lot of similarities to the
Ebola etc. viruses we suppose this programmer of
this viruses comes from the south or east from
Germany and has normal programming knowledge.
The virus contains the string:
'-=* Mutation Nation V1.0 by AIZ *=-'
Same length and comparable stuff as in BBS-traveller
etc.
--------------------- Agents -------------------------------------------
Countermeasures.....: VW6.2ß, VT2.84ß
above Standard means......: -
--------------------- Acknowledgement ----------------------------------
Location............: Hannover, Germany 25.05.1996.
Classification by...: Markus Schmall and Heiner Schneegold
Documentation by....: Markus Schmall (C)
Date................: May,25. 1996
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
in any SHI publication
===================== End of Mutation Nation =========================
