VTek22 Link Virus & Dropper - Amiga Virus Encyclopedia

VIRUS HELP TEAM




    ---------------------------
    Amiga Virus Encyclopedia
    VTek22 Link Virus & Dropper
    ---------------------------

 
    VTek22 Linkvirus and it`s installer:

    Around  March 1995  there was a new  version  of VTek22 found, which
    has some inner changes and increases the file with another length.

    Warning ! In the file "viewtek22.lha" there is a new linkvirus !
    The  virus was  uploaded  to a box in Hannover around 24.08.1994. We
    got  around  29.08.1994. the first  phonecalls concerning this virus
    and spreaded  short  warning  texts in  Hannover and some days later
    a warning  appeared in  the german  Z-Netz. The  description of this 
    archive says that it contains a  new update of the wellknown viewtek
    programm  by tek. If you depack  the whole  archive, you will find a 
    guidefile and the viewtek mainfile. The mainfile is 93844 bytes long
    and contains the installer for the new linkvirus.

    The  virus  itself  is located in the second hunk. The first hunk is
    848 bytes long and contains some crazy texts:

    'dos.library'
    'S:HauptPfad'
    'User/SysOp/UserDaten'
    'BoxDaten/BoxParameter'
    'User/xxxxxxxx/.INDEX'
    'User/xxxxxxxx/.TXT'
    'Absender  : KFUserCheck'
    'Betreff   : Bitte lesen >NEUERUSER.TXT<'
    'Datum     : 10.08.1994'
    'Uhrzeit   : 20:50:58'
    'Bytes     : 1024'
    'Empfänger : xxxxxxxx'
    '09.08.1994 23.45.16    1 Asc SYSop'
    'Neueintraege'

    The archiv contains only one mailbox advertisement from a box
    in Hannover. I meet the sysop of this box and got the
    name from the uploader of the file. The username is xxxxxxxx.
    (The same as in the ASCII text of the installer).
    The installer is a modified viewtek 2.1.378 version dated
    17.02.1994. In my opinion the first hunk is something like
    a FASTCALL hacking system, which is maybe able to modify userdata
    and some other boxparameters. It`s possible that this file was
    not uploaded by xxxxxx, but by somebody else and the sysop of this
    board activated this virus and the userdata etc. were completely
    changed.

    But now to the exact description of this virus:
    -----------------------------------------------

    Linkmethod: adds a new hunk to the file ($3ed longwords=Typ A)
                                            ($462 longwords=Typ B)

    Increases filelength by:    4036 bytes (Typ A)
                                4504 bytes (Typ B)
    Kickstart version required: KS V37.xx or higher

    The virus itself is not resident and creates only a new process.
    The nodeentry will be in the way changed, that the nl_type flag
    says that it is a task. The process has always the same name:
    "trackdisk.device" and has the same priority as a normal trackdisk.-
    device task. Many parts of this virus are crypted. The crypt-
    routines are static, no polymorph or in other way "intelligent"
    cryptparts could be found. The DOS routines are quite clever. There
    are no direct DOS jsr`s (e.g. jsr -36(a6), to close a file). This
    routines a hidden or in other words another technic will be used
    for it (global). Due to this special effect, all DOS function scanning
    programms like SpyDos, HackDos or SnoopDos will be cheated and no
    output is made by this programms.

    The virus only links itself on other files, if the following
    conditions are true:

    -more than 9 sectors free
    -device must be validated
    -no file longer than 143360 bytes will be infected
    -file must be executable
    -filename is one of the following:


    c:zoo , c:shrink , c:iprefs , c:mount , c:dms , c:setpatch,
    c:version, c:lharc, c:arc, c:fastgif, c:vt, c:show, c:ppshow,
    c:ed, c:iconx


    This virus contains many cryptroutines, which are not used as far
    as I can see up to now. A displayroutine or something like a text-
    writer seems to be not in the virus. The virus contains a crypted
    block, maybe this block contains a name for this little bastard.
    We are working on it...
    The virus contains a routine, which manipulates the controll-
    register B from CIA-B and the controllregister for the synchro-
    nisation from the blitter with the screen. I don`t know exactly
    what this will affect exactly.
    The hunk routine recognizes the following hunks: $3ec and $3eb.
    I expect some problems with programms with some other special
    hunks. VIRUSWORKSHOP 4.1 will be able to remove this virus and
    the infected programms will be working, even if they were not
    working, when they were infected.

    The way of manipulating the hunks is quite similar to the method,
     which the Burn Viruses use.

                                        Detection tested 05.09.1994.

    Test by Markus Schmall      Detection of Typ B tested 20.3.1995.


    


Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk