Entry...............: Smeg2
Alias(es)...........: -
Virus Strain........: -
Virus detected when.: July 2001
              where.: internet
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:         
                                                     typ A 1556 Bytes
                                                     typ B 1604 Bytes
                      2. Length in RAM:              about 2100 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 2.04+
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: -

Type of infection...: Self-identification method in files:

                      - via unused bits visible in dos flags

                      Self-identification method in memory:

                      - checks for 'SMG' process

                      System infection:

                      -  A new process entitled 'SMG' will be created
                         and this is the only visible change in the system.
                         That process infects files using the known
                         Smeg code, but the way of getting targets
                         is new.
                      -  The virus patches return address from Wait()
                         call of device's tasks.
                         This is very clever idea which lets
                         the virus patch devices which's code
                         is placed even in ROM.
                         The LOCATE_OBJECT and EXAMINE_NEXT packets
                         will be stolen.

                      Infection preconditions:

                       - HUNK_HEADER is found
                       - HUNK_CODE is found
                       - device is validated
                       - at least 6 free blocks
                       - filename does not start with "vir" and "saf"
                         (case independant check)
                       - file is bigger than 40 bytes
                       - file is smaller than 100377 bytes

Infection Trigger...: The infection is based on the packet handling
                      of AMIGA OS. Every started or listed file can be
                      infected.

Storage media affected:
                      all DOS-devices

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - none
                      Transient damage:
                      - none

Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - none

Particularities.....: The stack patches are done very clever and the
                      code is flexible enough to handle differences
                      between OS versions (including newer than 3.1).
                      Most of code is equal to first SMEG virus.
                      If the accessed file starts with the string "VIR"
                      or "SAF" (case independant), the file will
                      be not infected.

                      The typ A lacks some things mentioned in this
                      analyze. It:
                      - is not crypted
                      - doesn't test for "SAF"
                      - doesn't test for lower bound area of file sizes

Similarities........: The link method is comparable to other
                      first hunk increasing viruses.
                      Move.l 4.w,a6 will be replaced with call of virus.

Stealth.............: -

Armouring...........: Nothing special.

Comments............: The virus contains text block:

Smeg! it's a Hostile TakeOver! (Again!)
And just when you thought it was safe..
Flake and Georg have left the building!
-= On Tour 1995-2001 =-

--------------------- Acknowledgement ----------------------------------

Location............: Pawlowice, Poland
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: July 2001
Information Source..: virus disassembly, SMEG1 source code
Copyright...........: This document is public domain.

===================== End of Smeg2 Virus =========================

[Go back]