Polyzygotronifikator LinkVirus:
        -------------------------------


        This is a classical linkvirus, which was send to me as
        a very clever virus with polymorph routine, which should
        be execellent coded. To be clear: In my opinion this virus
        is quite well coded, but nothing special. A work of 4 hours
        to write the complete repairroutines and testing...

        Works with Kickstart 2.0 and higher based on the intern patch
        routines for the LoadSeg vector from DOS. No other vectors are
        changed.

        At the start of the virus, it will be searched for the SnoopDos
        task in memory. If it exists, the virus won`t start.

        The virus adds no hunk to the infected file, but increases the
        first codehunk. A speciality is, that the virus contains a
        little workaround for problems which appeared to other viruses
        with packed files (like Infiltrator), which are not 100 %
        AMIGA (no need to mention C= here) conform (Imploder Library).

        The virus itself is 1196 bytes big and the cryptroutine, which
        is polymorph, is 44 bytes long. The cryptroutine is polymorph,
        but only in that way, that it put between the single commands
        some garbage, some registers will be used different and nothing
        else. No complicated stuff like in the Crime`92 virus.

        The virus searchs for the "move.l 4,a6" command and replaces
        it with an ordinary jump to its own code. The virus recognizes,
        if it has already infected an file or not. This selftestroutine
        tests only for one single word and is not that secure. Virus-
        Workshop now uses 4 longwords to detect the virus in files.

        The virus identifies itself with the word 1994 in memory and
        on disk. In memory it searches for "1994" and on files it
        looks for $1994 (a word). As result, this virus links only one
        time on a file and nothing more. The virus does not link on
        other files, if the device contains less then $1f40 sectors.

        The virus contains no real destruction routine and expects as
        for hunk the codehunk.

        In the decrypted virus, you can read:

        "Don`t think about it! You`re simply infected with the
        Polyzygotronifikator... (Polymorph version)"

        This virus comes probably from Germany, because of the "k" in the
        name. A english speaking coder would have written the name like
        "Polyzygotronificator" instead of "Polyzygotronifikator". This is
        just  some  way  of  combination, but  I  think  this  is  quite
        interesting idea by Ingo Schmidt.

        VirusWorkshop is able to remove a virus and the repaired file should
        work 100%. Better try it with a copy, just for security
        reasons.


                                        Detection tested 05.08.1994.


        Comment 11.12.1994: Another viruschecker/killer appeared, which
        recognizes this virus. The repairroutine does not correct the
        length of the first hunk, it only reinserts the "move.l 4.w,a6"
        and nothing more. VT 2.69 and VW4.5 still detect Polygonifrikator
        in file, cause it is still existing there. This is the same
        viruskiller, which is not able to remove and detect the Crime`92
        virus correct or in general (in a time of 14 months!!!!)
        Please judge for yourself, but the german viruskiller programmers
        have not the task to recorrect the bugs made by other virus-
        killers ! Same problem appears at Commander linkvirus ! Please
        judge for yourself !

        Comment 27.02.1995: If you activated Decrunch and then checked
        a file, which was first packed and then infected with this
        virus, it could give Enforcerhits. Fixed now.


        Test by Markus Schmall..

[Go back]