Entry...............: ZIB
Alias(es)...........: none
Virus Strain........: -
Virus detected when.: December 97
              where.: Germany
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:     ca. 1260/1264 Bytes
                      (uses a polymorphic technic)
                      2. Length in RAM:                    xxxx Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: none

Type of infection...: Self-identification method in files:

                      - none

                      Self-identification method in memory:

                      - searches for "TRSi" at LastAlert(Exec)

                      System infection:
                      -  infects the following functions:
                         Dos LoadSeg(), bsdsocket.library baseptrs

 
                      Infection preconditions:
                       - HUNK_HEADER and HUNK_CODE are found
                       - device is validated
                       - File must be smaller than $1e848
                         bytes
                        
Infection Trigger...: Accessing files via LoadSeg()
                      It`s a typical infector. It cannot be rated as
                      fast infector as it only infects at the above
                      mentioned operations. Slow polymorphism
                      technology or stealth techniques wasn`t found
                      in this one.

Storage media affected:
                      all DOS-devices

Interrupts hooked...: None

Damage..............: Permanent damage:
                      - none

                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - none
                      Transient damage:
                      - None

Particularities.....: The crypt/decrypt routines are partly aware of processor
                      caches. The cryptroutine are non-polymorphic and
                      consists of some logical stuff. The cryptword is
                      $BABE.


Similarities........: The linkmethod is camparable to all the HNY viruses. It
                      will be tried to step $3e words back and check for an
                      "rts" or a "nop" at the hunkend.

                      The use of the bsdsocket library etc. shows some equalities
                      to the latest hitchhiker viruses.

                      NOTE: The installer itself links a 4 byte longer part to
                      the original "c:\loadwb" and uses 2 patchcodes. Most
                      viruskillers does not recognize this correct. VT 3.03
                      is doing it 100% right and VW should so, too.


Stealth.............: no stealth function found.

Armouring...........: readable text is crypted with a normal eor loop.

Specialities........: The virus sends mails to the virusworkshop mailinglist.
                      The list can be accessed using the virusworkshop@trsi.de
                      account and was accessible even from external persons
                      at that time. Now Vampire fixed this problem.

                      The subject was: "Another 1 bites the dust"
                      In the body the text: "Greetz to BEOL und BOKOR" can
                      be found. The mail be remote send via the mailserver
                      from the teuto.de domain via a special account.


Comments............: The name ZIB appeared in the latest HitchHiker viruses, too.
                      I suppose that this is somekind of virusclique pushing
                      their actions.


--------------------- Agents -------------------------------------------

Countermeasures.....: VT, VZ, FVK, VW
above Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Hildesheim, Germany 17.01.1998.
Classification by...: Markus Schmall
Documentation by....: Markus Schmall (C)
Date................: Jan, 01. 1998
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
                      in any SHI publication

===================== End of ZIB virus =========================

[Go back]