========= Computer Virus Catalog 1.2: CCCP VIRUS (31-July-1993) ======== Entry...............: CCCP Virus Alias(es)...........: --- Virus Strain........: --- Virus detected when.: --- where.: --- Classification......: Bootblock and Link Virus: Overwriting Bootblock, Extending Files, Resident Length of Virus.....: 1.Length: 1024 bytes Bootblock, 1044 bytes File extension. 2.Length: 1192 bytes in Chip-RAM --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: >= Version 1.3 Computer model(s)...: All Amigas with $68000 CPU / Vectortable at $0 --------------------- Attributes --------------------------------------- Easy Identification.: Text "CCCP VIRUS" in infected bootblocks and files Type of infection...: Self-Identification methods: Disk/File: searches for special Hunklength ($FD) in first Codehunk Disk/Boot: none Ram: Searches for $611c(bsr.s) at VEC3 location Executable File infection: extending file by 1044 bytes; infection occurs if: - file is readable/writable - file header block contains all blocks of the file (no extension block) - won't infect files in directorys with 1st letter "l","d","f" (eg.:l,devs,fonts) System infection: RAM-Resident, Reset-Resident, Bootblock infection Libraries/Vectors patched and action: Coolcap (Exec) - be resetproof DoIo (Exec) - infect preconditions, boot infection NewOpenLib (Exec) - patch openwindow Openwindow (Int.) - start infection Infection Trigger...: File: Opening a Intuition Window Bootblock:Any Disk-Access (DoIo on Block 0) Storage media affected: Diskettes Interrupts hooked...: IRQ_VEC3 ($6c) to stay in memory (against actions of some antivirus-programs Damage..............: Permanent Damage: overwriting bootblock, Transient Damage: none Transient/Permanent damage: virus overwrites with- out allocating memory at $$6fbec-$71000, so programs stored at this location my crash. Virus also may have problems with some hunk-types. Damage Trigger......: Inserting Diskette / DoIo call Particularities.....: Very compact code (1024 Byte) with complete (recursive) file and bootblock infection routine Similarities........: --- --------------------- Agents ------------------------------------------- Countermeasures.....: VT2.54, SnoopDos 1.7, AVM(internal) Countermeasures successful: VT2.54,Snoopdos,AVM Standard means......: VT2.54 --------------------- Acknowledgement ---------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Soenke Freitag Documentation by....: Soenke Freitag Date................: 31-July-1993 Information Source..: Heiner Schneegold, SHI, reverse analysis ===================== End of CCCP Virus================================= [Go back]