Smeg Link Virus - Amiga Virus Encyclopedia


Amiga Virus Encyclopedia    
Smeg Link Virus

Entry...............: Smeg
Alias(es)...........: Hostile Takeover 1
Virus Strain........: -
Virus detected when.: 19 September 1996
              where.: Belgium and France
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:         1900 Bytes
                      (uses a very simple engine)
                      2. Length in RAM:                    2800 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 2.04+ (V37-V40)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: -

Type of infection...: Self-identification method in files:

                      - uses a bug in BSTR routine from filecomment() for
                        the stealth routine

                      Self-identification method in memory:

                      - checks a special area from the TaskWait list

                      System infection:

                      -  A new task will be set up with the name of the
                         last found library in the list. For the taskname
                         there are 4 bytes reserved, but due to a programming
                         bug, even longer names can be created (e.g. keymap)

                      -  All devices with inserted volumes will be infected
                         and a new taskcode will be inserted. The first parts
                         of the code look like a BEOL code, but the rest is

                      Infection preconditions:

                       - HUNK_HEADER is found
                       - HUNK_CODE is found
                       - device is validated
                       - 10 free sectors
                       - filename does not start with "Vir"
                       - file is bigger than 8000 bytes
                       - file is smaller than 131072 bytes

Infection Trigger...: The infection is based on the packet handling
                      system of AMIGA OS. Every started file will be
                      infected. All synchron dos commands are affected.

Storage media affected:
                      all DOS-devices

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - none

                      Transient damage:
                      - none

Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - infecting a file

Particularities.....: The crypt/decrypt routines are aware of processor
                      caches. The cryptroutine is a simple polymorphic
                      decryptor and consists of some static logical stuff.
                      The packet handling works in even on the new developer
                      OS versions.

                      The virus tunnels doscall watcher like SnoopDos etc. by
                      using only lowlevel packet routines.

                      If the accessed file starts with the string "VIR"
                      (doesn`t depend on big or small letters), the file will
                      be not infected.
Similarities........: The link method is the normal "hunk 1 add" method
                      invented by IRQ Team V41. The way of infecting the
                      system is comparable to the first both BEOL linkviruses.
                      The entry jump calculation is an advanced "JSR" search
                      system (with easy bugs).

Stealth.............: No stealth engine

Armouring...........: The virus uses a static decryption block for its code
                      and only the cryptvalues differ.

                      The known Resource has some problems to resolve some
                      entry points. IRA and D68k have no problems with that.

Comments............: At the end of the crypted block you can read:
                      'Smeg! It''s a Hostile TakeOver!'
                      '(Better call Markus!)'

                      It differs to other known packet linkviruses in the
                      point that the control will be made via AllocDosObj.

                      VirusWorkshop deactivates the memorycode from the
                      virus and stops the infection by patching some values
                      directly in the code. After removed all viruses, please
                      reset, as the patch has to be removed 100%.

--------------------- Agents -------------------------------------------

Countermeasures.....: VW 6.3
above Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Hannover, Germany 22.09.1996.
Classification by...: Markus Schmall
Documentation by....: Markus Schmall (C)
Date................: Sep, 22. 1996
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
                      in any SHI publication

===================== End of Smeg Virus =========================

Virum Help Team
Denmark & Canada
Copyright © All rights reserved