------------------------
Amiga Virus Encyclopedia
Traveling Jack 2 Virus
------------------------
== Computer Virus Catalog 1.2: Traveling Jack 2 Virus (20-FEB-1993) ====
Entry...............: Traveling Jack 2 Virus
Alias(es)...........: Jack 2 Virus
Virus Strain........: Traveling Jack Virus Strain
Virus detected when.: 1991
where.:
Classification......: Linkvirus (Extending), Not Resident,
variable self-encryption.
Length of Virus.....: 1.Length on medium: variable, at least 2428 Bytes
2.Length in RAM: $97c=2428 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: 1.2/1.3/2.04
Computer model(s)...: A500,A500+,A1000,A2000,A2500,A3000
--------------------- Attributes ---------------------------------------
Easy Identification.: Text in file "VIRUS.XX" (where XX are random
numbers created through event counter in CIA-A)
in root-directorys:
"The Traveling Jack....",$A,$A,$D
"I'm traveling from town to town looking for r"
"espect,",$A,$D
"and all the girls I could lay down make me go "
"erect.",$A,$A,$D
" -Jack, 21st of "
"September 1990",0
Length of File in root-directory: 198 bytes.
Sometimes generates Write-Protect requester.
Type of infection...: Self-Identification methods:
Checks for $4cfa6400 (=movem.l (PC)+,a2/a5/a6)
at DOS-Library ROM-Call-pointer
Infection: -$20(DOS-Library node)
(=pointer to dos.library ROM-calls=dosbase+$2e)
File Infection: Extends files by at least
2368 bytes (+ random value from rasterbeam-
register)
Cant handle following file (hunk)-types (skips):
HUNK_OVERLAY, HUNK_BREAK, HUNK_RELOC8
Infection starts if the following conditions hold:
- Random (rasterbeam) matches comparevalue
(see below)
- DOS,0 Disk (old filesystem)
- Disk validated
- Path to the file is smaller than 38 chars
- Virus is able to allocate 8000+280 bytes
in memory
- File is executeable
- File is larger than 2000 Bytes
- Last 4 chars of filenameare in (a-z,A-Z)
- Last 4 chars of fn. are not "INFO"
(UPPER/LOWECASE)
- Filename is longer than 4 chars
- File does not consist of one of the
above hunk-types
- File is writeable.
Infection Trigger...: Random (VPOS,VHPOS=$dff004)
Storage media affected: Media formatted with Old-Filesystem.
Interrupts hooked...: ---
Damage..............: Permanent Damage: Writes files "VIRUS.XX" into the
current rootdirectory of ANY disk
Transient/Permanent damage: Potentially some files
won't run after infection (due to hunk-check-
routines)
Damage Trigger......: random ($dff004.l and #$1ff) < $80 -> infection
> $b0 < $e0 -> damage
Particularities.....: Jack 2=Jack 1 + code routine for the infection/
damage routine + texts
Virus checks at adress $ffffffe8 for #$fdfe6c48
and doesnot install itself if this value is
found. On normal Systems this adress is a ROM-
adress at $ffffe8, on turbo-32-bit Amigas this
could be a RAM-adress.
Virus is encrypted and modifies its encryption
routine code every new generation.
Some Virus code is encrypted in RAM and will only
be decrypted when executed.
Similarities........: ---
--------------------- Agents -------------------------------------------
Countermeasures.....: Names of tested products of Category 1-6:
Category 1: .1 SnoopDos
.2 AVM0.237
.3 ---
Category 2: vt2.48,lvd
Category 3: vt2.48,virusz,vc6.03,lvd
Category 4: ---
Category 5: possible (see partic.)
Category 6: possible (not tested)
Countermeasures successful: vt2.48,virusz,vc6.03,avm0.237
Standard means......: vt2.48
--------------------- Acknowledgement ----------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Soenke Freitag
Documentation by....: Soenke Freitag
Date................: 18-January-1993
Information Source..: Reverse-Engineering of Virus Code
===================== End of "Traveling Jack 2"-Virus ==================
