Entry...............: NeuroticDeath-2
Alias(es)...........: -
Virus Strain........: Elbereth->NeuroticDeath
Virus detected when.: 1997
              where.: -
Classification......: Linkvirus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: 3652+[40-800] Bytes
                      Uses highly polmorphic engine!
                      2. Length in RAM:                     8192 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release..: 2.04+ till 3.0
Computer model(s)...: 000+ machines

--------------------- Attributes ---------------------------------------

Easy Identification.:  none

Type of infection...: Self-identification method in files:

                      - tests ds_ticks in filedate
                        The value changes every 16 days!

                      Self-identification method in memory:
                      - checks for $2f01 in LoadSeg code at offset 0.

                      System infection:
                      -  infects following functions:
                         dos/LoadSeg
                         dos/NewLoadSeg
                         exec/DoIO
                      -  adds VBlank interrupt server when antivirus
                         is detected in memory to hide itself.

                      Infection preconditions:

                      - File is between 16kB and 286 kB on HDD
                      - File is between 16kB and 32 kB on Floppy
                      - Hunk Code is found
                      - File is not infected already
                      - device is validated
                      - device has 16+ free sectors
                      - filename is without 'v' and 'V'

Infection Trigger...: Executing programs

Storage media affected:
                      all DOS-devices

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - uses DoIO patch to destroy random blocks
                        of any device. No salvage possible!
                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - DoIO counter reaches 32
                      Transient damage:
                      - none

Particularities.....: Virus uses highly polymorphic engine called
                      Mtg_2c. Algorythm is static so semi-heuristic
                      detection should be possible. Decoder size
                      varies very much from infection to infection.

                      The virus refuses to work before 24 jan 97.

                      The virus calculates original LoadSeg address,
                      so any other patch is kicked out. This routine
                      doesn't work on OS31+.

                      Infector skips DEBUG hunks.

Similarities........: Link-method is first hunk increasing.
                      Most of the virus engine is equal to all
                      Elbereth viruses. The virus replaces
                      JSR and Bcc instructions with jump
                      to the decoder.

Stealth.............: Checks for 'Vir' in all task names.

Armouring...........: Uses highly polymorphic decoders, which
                      use some anti-reassimebling tricks.
                      File detection requires algorythmic analyse.

Comments............: Decoded virus contains VISIBLE text:

---=[ NEurOTiC DEatH 2 ]=---   (c) 1997 Poland
Grt's to *Markus*, m/\|) r0GEr
!! SECOND IN POLYMORPHIC SERIES !!

It is shown sometimes with DisplayAlert.

--------------------- Acknowledgement ----------------------------------

Location............: Pawlowice, Poland  8.2001
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 8.2001
Information Source..: virus
Copyright...........: This documentation is public domain

============= End of Neurotic Death 2  =================================

[Go back]