Polyzygotronifikator Link Virus - Amiga Virus Encyclopedia
VIRUS HELP TEAM
-------------------------------
Amiga Virus Encyclopedia
Polyzygotronifikator Link Virus
-------------------------------
Polyzygotronifikator LinkVirus:
This is a classical linkvirus, which was send to me as a very
clever virus with polymorph routine, which should be execellent
coded. To be clear: In my opinion this virus is quite well
coded, but nothing special. A work of 4 hours to write the
complete repairroutines and testing...
Works with Kickstart 2.0 and higher based on the intern patch
routines for the LoadSeg vector from DOS. No other vectors are
changed.
At the start of the virus, it will be searched for the SnoopDos
task in memory. If it exists, the virus won`t start.
The virus adds no hunk to the infected file, but increases the
first codehunk. A specialit y is, that the virus contains a
little workaround for problems which appeared to other viruses
with packed files (like Infiltrator), which are not 100 %
AMIGA (no need to mention C= here) conform (Imploder Library).
The virus itself is 1196 bytes big and the cryptroutine, which
is polymorph, is 44 bytes long. The cryptroutine is polymorph,
but only in that way, that it put between the single commands
some garbage, some registers will be used different and nothing
else. No complicated stuff like in the Crime`92 virus.
The virus searchs for the "move.l 4,a6" command and replaces it
with an ordinary jump to its own code. The virus recognizes, if
it has already infected an file or not. This selftestroutine
tests only for one single word and is not that secure. Virus-
Workshop now uses 4 longwords to detect the virus in files.
The virus identifies itself with the word 1994 in memory and
on disk. In memory it searches for "1994" and on files it
looks for $1994 (a word). As result, this virus links only one
time on a file and nothing more. The virus does not link on
other files, if the device contains less then $1f40 sectors.
The virus contains no real destruction routine and expects as
for hunk the codehunk.
In the decrypted virus, you can read:
"Don`t think about it! You`re simply infected with the
Polyzygotronifikator... (Polymorph version)"
This virus comes probably from Germany, because of the "k" in
the name. A english speaking coder would have written the name
like "Polyzygotronificator" instead of "Polyzygotronifikator".
This is just some way of combination, but I think this is quite
interesting idea by Ingo Schmidt.
VirusWorkshop is able to remove a virus and the repaired file
should work 100%. Better try it with a copy, just for security
reasons.
Detection tested 05.08.1994
Comment 11.12.1994:
Another viruschecker/killer appeared, whichrecognizes this virus
The repairroutine does not correct the length of the first hunk,
it only reinserts the "move.l 4.w,a6" and nothing more. VT 2.69
and VW v4.5 still detect Polygonifrikator in file, cause it is
still existing there. This is the same viruskiller, which is not
able to remove and detect the Crime`92 virus correct or in
general (in a time of 14 months!!!!)
Please judge for yourself but the german viruskiller programmers
have not the task to recorrect the bugs made by other virus-
killers ! Same problem appears at Commander linkvirus ! Please
judge for yourself !
Comment 27.02.1995:
If you activated Decrunch and then checked a file, which was
first packed and then infected with this virus, it could give
Enforcerhits. Fixed now.
Test by Markus Schmall..
