------------------------
Amiga Virus Encyclopedia
ZIB Link Virus
------------------------
Entry...............: ZIB
Alias(es)...........: none
Virus Strain........: -
Virus detected when.: December 97
where.: Germany
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: ca. 1260/1264 Bytes
(uses a polymorphic technic)
2. Length in RAM: xxxx Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)
--------------------- Attributes ---------------------------------------
Easy Identification.: none
Type of infection...: Self-identification method in files:
- none
Self-identification method in memory:
- searches for "TRSi" at LastAlert(Exec)
System infection:
- infects the following functions:
Dos LoadSeg(), bsdsocket.library baseptrs
Infection preconditions:
- HUNK_HEADER and HUNK_CODE are found
- device is validated
- File must be smaller than $1e848
bytes
Infection Trigger...: Accessing files via LoadSeg()
It`s a typical infector. It cannot be rated as
fast infector as it only infects at the above
mentioned operations. Slow polymorphism
technology or stealth techniques wasn`t found
in this one.
Storage media affected:
all DOS-devices
Interrupts hooked...: None
Damage..............: Permanent damage:
- none
Transient damage:
- none
Damage Trigger......: Permanent damage:
- none
Transient damage:
- None
Particularities.....: The crypt/decrypt routines are partly aware of processor
caches. The cryptroutine are non-polymorphic and
consists of some logical stuff. The cryptword is
$BABE.
Similarities........: The linkmethod is camparable to all the HNY viruses. It
will be tried to step $3e words back and check for an
"rts" or a "nop" at the hunkend.
The use of the bsdsocket library etc. shows some equalities
to the latest hitchhiker viruses.
NOTE: The installer itself links a 4 byte longer part to
the original "c:\loadwb" and uses 2 patchcodes. Most
viruskillers does not recognize this correct. VT 3.03
is doing it 100% right and VW should so, too.
Stealth.............: no stealth function found.
Armouring...........: readable text is crypted with a normal eor loop.
Specialities........: The virus sends mails to the virusworkshop mailinglist.
The list can be accessed using the virusworkshop@trsi.de
account and was accessible even from external persons
at that time. Now Vampire fixed this problem.
The subject was: "Another 1 bites the dust"
In the body the text: "Greetz to BEOL und BOKOR" can
be found. The mail be remote send via the mailserver
from the teuto.de domain via a special account.
Comments............: The name ZIB appeared in the latest HitchHiker viruses, too.
I suppose that this is somekind of virusclique pushing
their actions.
--------------------- Agents -------------------------------------------
Countermeasures.....: VT, VZ, FVK, VW
above Standard means......: -
--------------------- Acknowledgement ----------------------------------
Location............: Hildesheim, Germany 17.01.1998.
Classification by...: Markus Schmall
Documentation by....: Markus Schmall (C)
Date................: Jan, 01. 1998
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
in any SHI publication
===================== End of ZIB virus =========================
