NeuroticDeath 3 Link Virus - Amiga Virus Encyclopedia
VIRUS HELP TEAM
--------------------------
Amiga Virus Encyclopedia
NeuroticDeath 3 Link Virus
--------------------------
-----------------------------------------------------------------------
Entry...............: NeuroticDeath-3 (delta)
Alias(es)...........: -
Virus Strain........: Elbereth->NeuroticDeath
Virus detected when.: 1997
where.: -
Classification......: Linkvirus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: 4308+[40-800] Bytes
Uses highly polmorphic engine!
2. Length in RAM: 8192 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS Version/Release..: 2.04+ till 3.0
Computer model(s)...: 020+ machines
--------------------- Attributes ---------------------------------------
Easy Identification.: none
Type of infection...: Self-identification method in files:
- tests ds_ticks in filedate
The value changes every 16 days!
Self-identification method in memory:
- checks for $2f01 in LoadSeg code at offset 0
- checks for '**' in AlertData which is set
when the virus has detected AV task
and is hidden itself quickly
System infection:
- infects following functions:
dos/LoadSeg
exec/DoIO
- adds VBlank interrupt server when antivirus
is detected in memory to hide itself.
Infection preconditions:
- File is between 16kB and 286 kB on HDD
- File is NOT on Floppy
- Hunk Code is found
- File is not infected already
- device is validated
- device has 32+ free sectors
- filename is without 'v' and 'V'
Infection Trigger...: Executing programs
Storage media affected:
all DOS-devices
Interrupts hooked...: None
Damage..............: Permanent damage:
- uses DoIO patch to destroy random blocks
of any device. No salvage possible!
Transient damage:
- none
Damage Trigger......: Permanent damage:
- DoIO counter reaches 32
Transient damage:
- none
Particularities.....: Virus uses highly polymorphic engine called
Mtg_2c. Algorythm is static so semi-heuristic
detection should be possible. Decoder size
varies very much from infection to infection.
The virus refuses to work before 24 jan 97.
The virus calculates original LoadSeg address,
so any other patch is kicked out. This routine
doesn't work on OS31+.
Infector skips DEBUG hunks.
Most of patch code is crypted in memory!
Similarities........: Link-method is first hunk increasing.
Most of the virus engine is equal to all
Elbereth viruses. The virus replaces
JSR and Bcc instructions with jump
to the decoder.
Stealth.............: Checks for 'Vir' in all task names.
Armouring...........: Uses highly polymorphic decoders, which
use some anti-reassimebling tricks.
File detection requires algorythmic analyse.
Comments............: ND3 is just light version of ND3 delta
--------------------- Acknowledgement ----------------------------------
Location............: Pawlowice, Poland 8.2001
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 8.2001
Information Source..: virus
Copyright...........: This documentation is public domain
============= End of Neurotic Death 3 =================================
