NeuroticDeath 1 Link Virus - Amiga Virus Encyclopedia
VIRUS HELP TEAM
--------------------------
Amiga Virus Encyclopedia
NeuroticDeath 1 Link Virus
--------------------------
-----------------------------------------------------------------------
Entry...............: NeuroticDeath-1
Alias(es)...........: -
Virus Strain........: Elbereth
Virus detected when.: 1997
where.: -
Classification......: Linkvirus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: 3400+[40-800] Bytes
Uses highly polmorphic engine!
2. Length in RAM: 8192 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS Version/Release..: 2.04+ till 3.0
Computer model(s)...: 000+ machines
--------------------- Attributes ---------------------------------------
Easy Identification.: none
Type of infection...: Self-identification method in files:
- tests ds_ticks in filedate
The value changes every 16 days!
Self-identification method in memory:
- checks for $2f01 in LoadSeg code at offset 0.
System infection:
- infects following functions:
dos/LoadSeg
dos/NewLoadSeg
exec/DoIO
- adds VBlank interrupt server when antivirus
is detected in memory to hide itself.
Infection preconditions:
- File is between 16kB and 286 kB on HDD
- File is between 16kB and 32 kB on Floppy
- Hunk Code is found
- File is not infected already
- device is validated
- device has 16+ free sectors
- filename is without 'v' and 'V'
Infection Trigger...: Executing programs
Storage media affected:
all DOS-devices
Interrupts hooked...: None
Damage..............: Permanent damage:
- uses DoIO patch to destroy random blocks
of any device. No salvage possible!
Transient damage:
- none
Damage Trigger......: Permanent damage:
- DoIO counter reaches 32
Transient damage:
- none
Particularities.....: Virus uses highly polymorphic engine called
Mtg_2b. Algorythm is static so semi-heuristic
detection should be possible. Decoder size
varies very much from infection to infection.
The virus refuses to work before 24 jan 97.
The virus calculates original LoadSeg address,
so any other patch is kicked out. This routine
doesn't work on OS31+ and causes system crash.
Infector skips DEBUG hunks.
Similarities........: Link-method is first hunk increasing.
Most of the virus engine is equal to all
Elbereth viruses. The virus replaces
JSR and Bcc instructions with jump
to the decoder.
Stealth.............: Checks for 'Vir' all task names.
Armouring...........: Uses highly polymorphic decoders, which
use some anti-reassimebling tricks.
File detection requires algorythmic analyse.
Comments............: Decoded virus contains VISIBLE text:
---=[ NEurOTiC DEatH ]=--- (c) 1997 Poland
Grt's to *Markus*, m/\|) r0GEr
!! FIRST IN POLYMORPHIC SERIES !!
It is shown sometimes with DisplayAlert.
--------------------- Acknowledgement ----------------------------------
Location............: Pawlowice, Poland 8.2001
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 8.2001
Information Source..: virus
Copyright...........: This documentation is public domain
============= End of Neurotic Death 1 =================================
