Virus Warning - Virus Help Team

VIRUS HELP TEAM
Denmark & Canada



BBS Traveller Linkvirus
  
Warning!

A new linkvirus is out. The first known infected file is

lop_mi2.lha. The FILE_ID.DIZ looks like this:

                .
    ____     .::     ______
   /    |.:::::'    |  __  \_
   \   _|::  ::.::::.   ¬___/
.-- \____::  ::::  ::     \  --.
|        `::::'::  ::_____/    |
|    LøøP      `::::'          |
|                              |
|  MASTER ISO 1.22 100% CRC    |
|    THIS IS THE IMPROVED      |
|   INTENSITY-VERSION ...      |
`------------------------------'


The virus is linked on it normally. It doesn`t seems to be an installer,
probably the guys behind it didn`t know about this infection.

Emacs/TRSi got a call from Lenny Dee/Hf and gave me this archive. It
seems to be spreaded global. Since a Hf guy tried this archiv before
release 3 things for Hf Emacs checked for me this 3 releases and all
of them were virusfree.

! Special thanks at this time to Lenny Dee/HF for the fast warning !

Ok, here the analyse of the little bastard:



Entry...............: BBS Traveller Virus
Alias(es)...........: Ebola-II
Virus Strain........: -
Virus detected when.: 17.04.1996
              where.: Germany
Classification......: Linkvirus,memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium:     1536  Bytes
                      2. Length in RAM:                12000 Bytes

--------------------- Preconditions ------------------------------------

Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)

--------------------- Attributes ---------------------------------------

Easy Identification.: none

Type of infection...: Self-identification method in files:

                      -  Searches for $ab1590ef at the end of the first Hunk.
                         (this longword comes from the EBOLA-I virus)

                      -  Searches for $24121996 at the end of the first hunk
                         (selfrecognition)

                      -  Searches for $1080402 at the end of the first hunk
                         (this is the recognition of the Strange Atmosphere
                          linkvirus)

                      Self-identification method in memory:

                      Searches for $3D385E29 at offset -6 from the Dos
LoadSeg()
                      function.
                      If $1020304 will be found at this position, the
destruction
                      counter will be manipulated (somekind of test for the
                      programmer of this virus ?)

                      System infection:
                      -  non RAM resident, infects the following functions:
                         Dos LoadSeg(), Dos ReadARGS(), Exec Findname(),
                         Exec Findtask, Exec SetFunktion() and Exec Addport()


                      Infection preconditions:
                       - File to be infected is bigger then 2600 bytes and
                         smaller then 290000 bytes
                       - Device must have more than 6000 sectors
                       - First hunk contains a $4eaexxxx command in the 16
                         bit range to the end of the file (test for the first
                         entry)
                       - the file is not already infected (the at long of the
                         end of the hunk)
                       - HUNK_HEADER and HUNK_CODE are found



Infection Trigger...: Accessing files via LoadSeg()
                      Files starting with "v","V","." or "-" will be NOT
                      infected.

Storage media affected:
                      all DOS-devices

Interrupts hooked...: None


Damage..............: Permanent damage:
                      - Formatting the drive
                      Transient damage:
                      - none
Damage Trigger......: Permanent damage:
                      - Formatting the drive, when an internal counter reaches
                        5000.
                      Transient damage:
                      - None

Particularities.....: The crypt/decrypt routines are partly aware of processor
                      caches. The cryptroutine are non polymorphic and only
                      consists of some logical stuff. The virus uses some
                      simple retro technics to stop viruskillers searching
                      for itself.

Similarities........: Link-method is comparable to the method invented with
                      the infiltrator-virus. Damage routine is taken from the
                      Strange Atmosphere linkvirus. The virus is a typical
                      mixture from the EBOLA and the Strange Atmosphere
                      linkviruses. We think that all 3 ones come from the
                      same programmer, probably in the east or north of
                      Germany.

Stealth.............: If the viruskiller VT up to version 2.82 will be started,
                      the virus removes itself completly from memory. If one of
                      the following programms will be found in memory, no link
                      try will be started:

                      SetFunktionManager
                      VirusChecker
                      VirusZ_II
                      SnoopDos
                      SnoopDos 3
                      VW-Save!

Armouring...........: The virus uses only a single armouring technique to
                      confuse people. It only crypts it`s code based on the
                      position of the rasterbeam.

Comments............: The name EBOLA is the name of a virus, which humans
                      can get infected with. CARO rules say, that no names
                      of persons etc. may be used to call a virus, but I
                      spoke to other persons and they already recognized
                      this virus in this way. The virus contains the string
                      "BBS Traveller", but this is just a clone from the
                      EBOLA linkvirus with some enhancements.


--------------------- Agents -------------------------------------------

Countermeasures.....: VW6.1 beta
above Standard means......: -

--------------------- Acknowledgement ----------------------------------

Location............: Hannover, Germany 19.04.1996.
Classification by...: Markus Schmall and Heiner Schneegold
Documentation by....: Markus Schmall (C)
Date................: April,19. 1996
Information Source..: Reverse engineering of original virus
Copyright...........: This document is copyrighted and may be not used
                      in any SHI publication

===================== End of BBS Traveller Virus =========================

Greets
          Markus Schmall




Virus Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht-dk.dk