VTek22 Linkvirus and it`s installer:

       Around March 1995 there was a new version of VTek22 found, which
       has some inner changes and increases the file with another length.

       Warning ! In the file "viewtek22.lha" there is a new linkvirus !
       The virus was uploaded to a box in Hannover around 24.08.1994. We
       got around 29.08.1994. the first phonecalls concerning this virus
       and spreaded short warning texts in Hannover and some days later
       a warning appeared in the german Z-Netz. The description of this
       archive says that it contains a new update of the wellknown viewtek
       programm by tek. If you depack the whole archive, you will find a 
       guidefile and the viewtek mainfile. The mainfile is 93844 bytes long
       and contains the installer for the new linkvirus.

       The virus itself is located in the second hunk. The first hunk is
       848 bytes long and contains some crazy texts:

       'Absender  : KFUserCheck'
       'Betreff   : Bitte lesen >NEUERUSER.TXT<'
       'Datum     : 10.08.1994'
       'Uhrzeit   : 20:50:58'
       'Bytes     : 1024'
       'Empfänger : xxxxxxxx'
       '09.08.1994 23.45.16    1 Asc SYSop'

       The archiv contains only one mailbox advertisement from a box
       in Hannover. I meet the sysop of this box and got the
       name from the uploader of the file. The username is xxxxxxxx.
       (The same as in the ASCII text of the installer).
       The installer is a modified viewtek 2.1.378 version dated
       17.02.1994. In my opinion the first hunk is something like
       a FASTCALL hacking system, which is maybe able to modify userdata
       and some other boxparameters. It`s possible that this file was
       not uploaded by xxxxxx, but by somebody else and the sysop of this
       board activated this virus and the userdata etc. were completely

       But now to the exact description of this virus:

       Linkmethod: adds a new hunk to the file ($3ed longwords=Typ A)
                                               ($462 longwords=Typ B)

       Increases filelength by:    4036 bytes (Typ A)
                                   4504 bytes (Typ B)
       Kickstart version required: KS V37.xx or higher

       The virus itself is not resident and creates only a new process.
       The nodeentry will be in the way changed, that the nl_type flag
       says that it is a task. The process has always the same name:
       "trackdisk.device" and has the same priority as a normal trackdisk.-
       device task. Many parts of this virus are crypted. The crypt-
       routines are static, no polymorph or in other way "intelligent"
       cryptparts could be found. The DOS routines are quite clever. There
       are no direct DOS jsr`s (e.g. jsr -36(a6), to close a file). This
       routines a hidden or in other words another technic will be used
       for it (global). Due to this special effect, all DOS function scanning
       programms like SpyDos, HackDos or SnoopDos will be cheated and no
       output is made by this programms.

       The virus only links itself on other files, if the following
       conditions are true:

       -more than 9 sectors free
       -device must be validated
       -no file longer than 143360 bytes will be infected
       -file must be executable
       -filename is one of the following:

        c:zoo , c:shrink , c:iprefs , c:mount , c:dms , c:setpatch,
        c:version, c:lharc, c:arc, c:fastgif, c:vt, c:show, c:ppshow,
        c:ed, c:iconx

       This virus contains many cryptroutines, which are not used as far
       as I can see up to now. A displayroutine or something like a text-
       writer seems to be not in the virus. The virus contains a crypted
       block, maybe this block contains a name for this little bastard.
       We are working on it...
       The virus contains a routine, which manipulates the controll-
       register B from CIA-B and the controllregister for the synchro-
       nisation from the blitter with the screen. I don`t know exactly
       what this will affect exactly.
       The hunk routine recognizes the following hunks: $3ec and $3eb.
       I expect some problems with programms with some other special
       hunks. VIRUSWORKSHOP 4.1 will be able to remove this virus and
       the infected programms will be working, even if they were not
       working, when they were infected.

       The way of manipulating the hunks is quite similar to the method,
       which the Burn Viruses use.

                                           Detection tested 05.09.1994.

       Test by Markus Schmall      Detection of Typ B tested 20.3.1995.

[Go back]