------------------------
Amiga Virus Encyclopedia
Smeg Link Virus
------------------------
------------------------------------------------------------------------
Entry...............: Smeg
Alias(es)...........: Hostile Takeover 1
Virus Strain........: -
Virus detected when.: 19 September 1996
where.: Belgium and France
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: 1900 Bytes
(uses a very simple engine)
2. Length in RAM: 2800 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS Version/Release.....: 2.04+ (V37-V40)
Computer model(s)...: all models/processors (MC68000-MC68060)
--------------------- Attributes ---------------------------------------
Easy Identification.: -
Type of infection...: Self-identification method in files:
- uses a bug in BSTR routine from filecomment() for
the stealth routine
Self-identification method in memory:
- checks a special area from the TaskWait list
System infection:
- A new task will be set up with the name of the
last found library in the list. For the taskname
there are 4 bytes reserved, but due to a programming
bug, even longer names can be created (e.g. keymap)
- All devices with inserted volumes will be infected
and a new taskcode will be inserted. The first parts
of the code look like a BEOL code, but the rest is
different.
Infection preconditions:
- HUNK_HEADER is found
- HUNK_CODE is found
- device is validated
- 10 free sectors
- filename does not start with "Vir"
- file is bigger than 8000 bytes
- file is smaller than 131072 bytes
Infection Trigger...: The infection is based on the packet handling
system of AMIGA OS. Every started file will be
infected. All synchron dos commands are affected.
Storage media affected:
all DOS-devices
Interrupts hooked...: None
Damage..............: Permanent damage:
- none
Transient damage:
- none
Damage Trigger......: Permanent damage:
- none
Transient damage:
- infecting a file
Particularities.....: The crypt/decrypt routines are aware of processor
caches. The cryptroutine is a simple polymorphic
decryptor and consists of some static logical stuff.
The packet handling works in even on the new developer
OS versions.
The virus tunnels doscall watcher like SnoopDos etc. by
using only lowlevel packet routines.
If the accessed file starts with the string "VIR"
(doesn`t depend on big or small letters), the file will
be not infected.
Similarities........: The link method is the normal "hunk 1 add" method
invented by IRQ Team V41. The way of infecting the
system is comparable to the first both BEOL linkviruses.
The entry jump calculation is an advanced "JSR" search
system (with easy bugs).
Stealth.............: No stealth engine
Armouring...........: The virus uses a static decryption block for its code
and only the cryptvalues differ.
The known Resource has some problems to resolve some
entry points. IRA and D68k have no problems with that.
Comments............: At the end of the crypted block you can read:
'Smeg! It''s a Hostile TakeOver!'
'(Better call Markus!)'
It differs to other known packet linkviruses in the
point that the control will be made via AllocDosObj.
VirusWorkshop deactivates the memorycode from the
virus and stops the infection by patching some values
directly in the code. After removed all viruses, please
reset, as the patch has to be removed 100%.
--------------------- Agents -------------------------------------------
Countermeasures.....: VW 6.3
above Standard means......: -
--------------------- Acknowledgement ----------------------------------
Location............: Hannover, Germany 22.09.1996.
Classification by...: Markus Schmall
Documentation by....: Markus Schmall (C)
Date................: Sep, 22. 1996
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
in any SHI publication
===================== End of Smeg Virus =========================
