== Computer Virus Catalog 1.2: Traveling Jack 1 Virus (18-Jan-93) ======
Entry...............: Traveling Jack 1 Virus
Alias(es)...........: Jack 1 Virus
Virus Strain........: Traveling Jack Virus Strain
Virus detected when.: 1991
Classification......: Linkvirus(Extending), Not Resident,
                         variably self-encrypting.
Length of Virus.....: 1.Length on medium: variable, at least 2368
                      2.Length in RAM:    $940=2368 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: 1.2/1.3/2.04
Computer model(s)...: A500,A500+,A1000,A2000,A2500,A3000
--------------------- Attributes ---------------------------------------
Easy Identification.: Text in RAM, in file "VIRUS.XX" (where XX
                         are random numbers created through event
                         counter in CIA-A) and in root-directorys:
                         "The Traveling Jack....",$A,$A,$D
                         "I'm traveling from town to town looking for r"
                         "and all the girls I could lay down make me go "
                         "                               -Jack, 21st of "
                         "September 1990",0
                      Length of File in root-directory: 198 bytes
Type of infection...: Self-Identification methods:
                         Checks for $4cfa6400 (=movem.l (PC)+,a2/a5/a6)
                         at DOS-Library ROM-Call-pointer
                         -$20(DOS-Library node) (=pointer to
                         dos.library ROM-calls = dosbase+$2e)
                      File Infection:
                         Extends files by at least 2368 bytes
                         (+random value from rasterbeam-register)
                      Cannot handle following file (hunk)-types (skips):
                         HUNK_OVERLAY, HUNK_BREAK,  HUNK_RELOC8
                      Infection starts if the following conditions hold:
                         - random (rasterbeam) matches comparevalue
                           (see below)
                         - DOS,0 Disk (old filesystem)
                         - Disk validated
                         - Path to the file is smaller than 38 chars
                         - Virus is able to allocate 8000+280 bytes
                           in memory
                         - file is executable
                         - file is larger than 2000 Bytes
                         - last 4 chars of filenameare in (a-z,A-Z)
                         - last 4 chars of fn. are not "INFO"
                         - filename is longer than 4 chars
                         - file does not consist of one of the above
                         - file is writeable.
Infection Trigger...: Random (VPOS,VHPOS=$dff004)
Storage media affected: Media formatted with Old-Filesystem
Interrupts hooked...: ---
Damage..............: Permanent Damage: Writes files "VIRUS.XX" into the
                         current root directory of ANY disk
                      Transient/Permanent damage: Potentially, some files
                         wont run after infection (due to hunk-check-
Damage Trigger......: Random ($dff004.l and #$1ff) < $80 -> infection
                                             > $b0 < $e0 -> damage
Particularities.....: Virus checks at address $ffffffe8 for
                         #$fdfe6c48 and does not install itself if this
                         value is found. On normal Systems this adress is
                         a ROM-adress at $ffffe8, on turbo-32-bit Amigas
                         this could be a RAM-address.
                      Virus is encrypted and modifies its encryption
                         routine code every new generation.
Similarities........: ---
--------------------- Agents -------------------------------------------
Countermeasures.....: Names of tested products of Category 1-6:
                      Category 1: .1 SnoopDos
                                  .2 AVM0.237
                                  .3 ---
                      Category 2: vt2.48,lvd
                      Category 3: vt2.48,virusz,vc6.03,lvd
                      Category 4: ---
                      Category 5: possible (see partic.)
                      Category 6: possible (not tested)
Countermeasures successful: vt2.48,virusz,vc6.03,avm0.237
Standard means......: vt2.48
--------------------- Acknowledgement ----------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Soenke Freitag
Documentation by....: Soenke Freitag
Date................: 18-January-1993
Information Source..: Reverse-Engineering of Virus Code
===================== End of "Traveling Jack"-Virus=====================

[Go back]