Port-2421 Virus (Vaginitis Clone) - Amiga Virus Encyclopedia

VIRUS HELP TEAM
 



---------------------------------
Amiga Virus Encyclopedia
Port-2421 Virus (Vaginitis Clone)
---------------------------------


---------------------------------------------------------------------------

Entry...............: PORT-2421
Alias(es)...........: VaginitisClone
Virus Strain........: none
Virus detected when.: 5.2000
              where.: England
Classification......: System/Linkvirus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:         700 Bytes
                      2. Length in RAM:                   2048 Bytes

--------------------- Preconditions ---------------------------------------

Operating System(s).: AMIGA-DOS Version/Release..: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ------------------------------------------

Easy Identification.: none

Type of infection...: Self-identification method in files:

                      - none (the virus infects only C:mount)

                      Self-identification method in memory:

                      - checks for $60f0 at LoadSeg patch offset -2

                      System infection:
                      -  infects the following function:
                         Dos LoadSeg()


                      Infection preconditions:

                      - Hunk Code is found
                      - File is not infected already (double
                        infections are impossible)
                      - device is validated
                      - device contains free blocks


Infection Trigger...: Direct accessing C:mount

Storage media affected:
                      C:

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - none
                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - none

Particularities.....: Installer infects only one file - C:mount,
                      the code of Vaginitis/Fungus virus is used
                      here only to implement TCP: new shell
                      opener to system.
                      The virus performs:
                      run >nil: newshell TCP:2421
                      
Similarities........: Link-method is first hunk increasing.
                      Last RTS will be rewritten with nop.
                      Whole code is 95% equal to Fungus/Vaginitis
                      viruses.

Stealth.............: Only one file is infected.

Armouring...........: very simply eor crypter with static key $DEAD


Comments............: The virus is installed by Jizzer fake util.
                      The virus code is stored there manually.

--------------------- Agents -------------------------------------------

Countermeasures.....: -
above Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Pawlowice, Poland  23.6.2000
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 23.6.2000
Information Source..: Virus disassembly
Copyright...........: This documentation is public domain

===================== End of Vaginitis 2421=============================
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk