Strange Atmosphere Link Virus - Amiga Virus Encyclopedia
VIRUS HELP TEAM
-----------------------------
Amiga Virus Encyclopedia
Strange Atmosphere Link Virus
-----------------------------
-----------------------------------------------------------------------
Entry...............: Strange Atmosphere
Alias(es)...........: SA Virus
Virus Strain........: -
Virus detected when.: 2/1996
where.: Germany
Classification......: Link virus, memory-resident
Length of Virus.....: 1. Length on storage medium: 1232 Bytes
2. Length in RAM: $2710 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)
Caches may cause problems during the decoding
process
--------------------- Attributes ---------------------------------------
Easy Identification.: None
Type of infection...: Linkvirus
Self-identification method in files:
- Searches for $1080402 at the end of the first
codehunk
Self-identification method in memory:
- Checks for $3d385e29 at position -6 of the
LoadSeg() adress
System infection:
- RAM resident, infects the LoadSeg() DOS function
- DoIO() exec function and Coolcapture will be
infected only under special conditions
Infection preconditions:
- File to be infected is bigger then $a28 bytes
- The file is not already infected
- HUNK_HEADER and HUNK_CODE are found
- HUNK_HEADER structure is valid
- There must be 4 free blocks on the disc
- File is shorter than 290000 bytes
- The lenght of the first hunk must be exactly the
same as written in the hunkheader structure
Infection Trigger...: Accessing the file
Storage media affected: all DOS-devices
Interrupts hooked...: None
Damage..............: Permanent damage:
- Files will be trashed (depends on the Rasterbeam)
Devices will be overwritten (depends on the Rasterbeam)
Transient damage:
- System gets locked while reset and a new copperlist
will be shown. This copperlist then shows you the german
flag.
Damage Trigger......: Permanent damage:
- Internal counter
Transient damage:
- Internal counter
Particularities.....: The crypt/decrypt routines are not aware of processor
caches. The installer code in several files is working
correct with higher processors. The linkcode checks for
correct length of the first hunk to remove problems with
extra ordinary packers.
Similarities........: Link-method in the executable files is the simple "link
behind the first hunk" method without any special tricks.
Stealth.............: The viruses uses normal dos commands (no tunneling
via packets) and normal DOS call watchers like SnoopDos
can proof the infection behavior.
There are no stealth routines build in.
Armouring...........: The virus is only one armouring technique to protect
it`s code. It uses a normal crypt routine to hide
the viral structures. Heuristik checkers like the one
in VirusWorkshop can find the dangerous parts and VW
gives you the rating "Virus!".
Name................: In the crypted part there is the following string:
'-+* Strange Atmosphere [gOOd] *+-'
If the internal counter reaches 50, the word "gOOd" will
be replaced by "eVIL" and the destructive code will be
activated.
--------------------- Agents -------------------------------------------
Countermeasures.....: VT 2.81, VW6.0
Countermeasures successful: All of the above
Standard means......: -
--------------------- Acknowledgement ----------------------------------
Location............: Hannover, Germany 04.03.1996.
Classification by...: Markus Schmall and Heiner Schneegold
Documentation by....: Markus Schmall
Date................: March 1996
Information Source..: Reverse engineering of original virus
Copyright...........: Markus Schmall
Special note........: Virus Test Center Hamburg and Virus Help Team DK
are strictly allowed to use this analyse in their
own productions. All other groups/institutions may
please contact me first.
===================== End of Strange Atmosphere Virus ============================
Antivirus...........: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III v1.04B or higher, and also Xvs.library v33.47 or higher
