------------------------
Amiga Virus Encyclopedia
Traveling Jack 1 Virus
------------------------
== Computer Virus Catalog 1.2: Traveling Jack 1 Virus (18-Jan-93) ======
Entry...............: Traveling Jack 1 Virus
Alias(es)...........: Jack 1 Virus
Virus Strain........: Traveling Jack Virus Strain
Virus detected when.: 1991
where.:
Classification......: Linkvirus(Extending), Not Resident,
variably self-encrypting.
Length of Virus.....: 1.Length on medium: variable, at least 2368
2.Length in RAM: $940=2368 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: 1.2/1.3/2.04
Computer model(s)...: A500,A500+,A1000,A2000,A2500,A3000
--------------------- Attributes ---------------------------------------
Easy Identification.: Text in RAM, in file "VIRUS.XX" (where XX
are random numbers created through event
counter in CIA-A) and in root-directorys:
"The Traveling Jack....",$A,$A,$D
"I'm traveling from town to town looking for r"
"espect,",$A,$D
"and all the girls I could lay down make me go "
"erect.",$A,$A,$D
" -Jack, 21st of "
"September 1990",0
Length of File in root-directory: 198 bytes
Type of infection...: Self-Identification methods:
Checks for $4cfa6400 (=movem.l (PC)+,a2/a5/a6)
at DOS-Library ROM-Call-pointer
Infection:
-$20(DOS-Library node) (=pointer to
dos.library ROM-calls = dosbase+$2e)
File Infection:
Extends files by at least 2368 bytes
(+random value from rasterbeam-register)
Cannot handle following file (hunk)-types (skips):
HUNK_OVERLAY, HUNK_BREAK, HUNK_RELOC8
Infection starts if the following conditions hold:
- random (rasterbeam) matches comparevalue
(see below)
- DOS,0 Disk (old filesystem)
- Disk validated
- Path to the file is smaller than 38 chars
- Virus is able to allocate 8000+280 bytes
in memory
- file is executable
- file is larger than 2000 Bytes
- last 4 chars of filenameare in (a-z,A-Z)
- last 4 chars of fn. are not "INFO"
(UPPER/LOWECASE)
- filename is longer than 4 chars
- file does not consist of one of the above
hunk-types
- file is writeable.
Infection Trigger...: Random (VPOS,VHPOS=$dff004)
Storage media affected: Media formatted with Old-Filesystem
Interrupts hooked...: ---
Damage..............: Permanent Damage: Writes files "VIRUS.XX" into the
current root directory of ANY disk
Transient/Permanent damage: Potentially, some files
wont run after infection (due to hunk-check-
routines)
Damage Trigger......: Random ($dff004.l and #$1ff) < $80 -> infection
> $b0 < $e0 -> damage
Particularities.....: Virus checks at address $ffffffe8 for
#$fdfe6c48 and does not install itself if this
value is found. On normal Systems this adress is
a ROM-adress at $ffffe8, on turbo-32-bit Amigas
this could be a RAM-address.
Virus is encrypted and modifies its encryption
routine code every new generation.
Similarities........: ---
--------------------- Agents -------------------------------------------
Countermeasures.....: Names of tested products of Category 1-6:
Category 1: .1 SnoopDos
.2 AVM0.237
.3 ---
Category 2: vt2.48,lvd
Category 3: vt2.48,virusz,vc6.03,lvd
Category 4: ---
Category 5: possible (see partic.)
Category 6: possible (not tested)
Countermeasures successful: vt2.48,virusz,vc6.03,avm0.237
Standard means......: vt2.48
--------------------- Acknowledgement ----------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Soenke Freitag
Documentation by....: Soenke Freitag
Date................: 18-January-1993
Information Source..: Reverse-Engineering of Virus Code
===================== End of "Traveling Jack"-Virus=====================
