------------------------
Amiga Virus Encyclopedia
Phantom Link Virus
------------------------
------------------------------------------------------------------------
Entry...............: Phantom Linkvirus
Alias(es)...........: Super-Nova
Virus Strain........: -
Virus detected when.: 11/1995
where.: Germany
Classification......: Link virus, memory-resident
Length of Virus.....: 1. Length on storage medium: ca.688 Bytes
2. Length in RAM: 688 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)
--------------------- Attributes ---------------------------------------
Easy Identification.: None
Type of infection...: Self-identification method in files:
- Searches for $83ef19acin the first Hunk at last
position (normal file infection)
Self-identification method in memory:
- Checks for a longword in the LoadSeg routine
($42a449fa)
System infection:
- RAM resident, infects the DOS Call LoadSeg()
Infection preconditions:
- File to be infected is bigger then 4000 bytes and smaller
than $2e630 bytes
- First hunk is a code hunk
- File is executable
- First hunk has no reloc linked behind
- First hunk ends not with $83ef19ac
Infection Trigger...: Accessing the volume via LoadSeg (patched)
Storage media affected: all DOS-devices
Interrupts hooked...: none
Damage..............: Permanent damage:
- None
Transient damage:
- none
Damage Trigger......: Permanent damage:
- None
Transient damage:
- None
Particularities.....: The crypt/decrypt routines are aware of processor
caches.
Similarities........: Link-method in library structured file is like the one of
the Commander virus (without bsr changes!)
Stealth.............: The viruses uses normal dos commands (no tunneling
via packets) and normal DOS call watchers like SnoopDos
can proof the infection behavior. The virus uses no
stealth weapons. The only things is it`s size. 688 bytes
difference in files don`t wake up the user so fast.
Armouring...........: The virus uses only 2 weapons:
1. The virus uses a cryptroutine to hide it`s code.
2. The virusname is hidden in a block, which will be
normally never accessed. Just decrease the values
by 1 and you will see the text "let`s go again...
PHANTOM"
Comments............: This file was sent to the dansk SHI leader from a german
guy. It was send to him as a new viruskiller. This happened
months (years?) ago and now (11/95) the virus appeared again.
In reality this is just a modified old version of VMK with
an installer linked before. The installer is timebased.
(In the BX-News.Guide in the chapter Super-Nove you
can find some more information, how the virus reached SHI).
--------------------- Agents -------------------------------------------
Countermeasures.....: VW5.7, BootX 5.23B with Recog 2.25 (only the installer) ?
Countermeasures successful: All of the above
Standard means......: -
--------------------- Acknowledgement ----------------------------------
Location............: Hannover, Germany 05.11.1995.
Classification by...: Markus Schmall
Documentation by....: Markus Schmall
Date................: October,05. 1995
Information Source..: Reverse engineering of original virus
Copyright...........: Markus Schmall, Virus Test Center Uni Hamburg has the
permission to use this analyse in their catalog. SHI
is not allowed to use this document in ANY way.
===================== End of Phantom Virus ============================
Antivirus...........: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III v1.04B or higher, and also Xvs.library v33.47 or higher
