Entry...............: Nibbler
Alias(es)...........: Nibbler 1.0
Virus Strain........: -
Virus detected when.: November 1996
              where.: Germany
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:         924 Bytes
                      2. Length in RAM:                    924 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 2.04+ (V37-V40)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: -

Type of infection...: Self-identification method in files:

                      - none

                      Self-identification method in memory:

                      - none

                      System infection:

                      - LoadSeg() of Dos Library will be patched. If
                        the port of VirusZ is existing, the patched
                        Loadseg vector will be removed from memory.

                      Infection preconditions:


                      - DosTouch is not in memory
                      - the to be infected file does not start with
                        XT, VI,VW, VT,VC,VZ, MD or MI

                      - HUNK_HEADER is found
                      - device is validated
                      - 50 free blocks


Infection Trigger...: Starting an executable file.


Storage media affected:
                      all DOS-devices

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - none

                      Transient damage:
                      - an entry jump will be placed

Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - infecting a file

Particularities.....: The crypt/decrypt routines are aware of processor
                      caches. The virus is incompatible to the new versions of
                      EXEC, as it uses some commands only legal in V37-V41
                      versions of the task handling.

Similarities........: Infection of files is done with the normal "link
                      after first hunk" system with afterwards installing
                      an entry jump.

Stealth.............: none

Armouring...........: None

--------------------- Agents -------------------------------------------

Countermeasures.....: VW 6.4 and VT 2.93
above Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Hannover, Germany 29.12.1996.
Classification by...: Markus Schmall
Documentation by....: Markus Schmall (C)
Date................: Dec, 29. 1996
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
                      in any SHI publication

===================== End of Nibbler Virus =========================

[Go back]