Entry...............: Cryptic Essence Alias(es)...........: Evil Jesus #3 Virus Strain........: - Virus detected when.: 9/1995 where.: Denmark Classification......: Link virus, memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: none 2. Length in RAM: $97c bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) --------------------- Attributes --------------------------------------- Easy Identification.: None Type of infection...: Self-identification method in files: - None. Double infections are possible but mostly result in dead samples. Tested on CVMODE as testinfect file. Self-identification method in memory: - None System infection: - RAM resident, infects the DOS Write() function Infection preconditions: - File to be infected is bigger then 9276 bytes - First hunk is a normal code hunk without memory extentsion (=$3e9) - This hunk must be bigger than 9276 bytes - First word in this hunk is not: - $4afc (ILLEGAL) - $4e75 - Second word in this hunk is not: - $4afc (ILLEGAL) - $4e75 Infection Trigger...: Accessing the volume (by writing) A normal COPY is not suitable, because COPY divides longer files in little chunks and at this chunks, the virus mostly cannot work correctly. Storage media affected: all DOS-devices Interrupts hooked...: None Damage..............: Permanent damage: - Changes data in files randomly. Not repairable Transient damage: - none Damage Trigger......: Permanent damage: - Counter reaches 0 Transient damage: - None Particularities.....: The crypt routines are not aware of processor caches and have serious problem at some places. It can come to wrong decoding and such stuff. The linkmethod is new for the AMIGA computer series and is called on PC Cavity linkviruses. There is no modification to the relochunks needed to repair the file from the virus. In the virus there is found a comment to a wellknown PC antivirus researcher and to a essey written by this guy, which was obviously used from the virus- programmer(s) as basis. Similarities........: Cavity linkviruses on PC (such families have been e.g. seen in the Netherlands). Packroutine is stolen from the xpk distribution. The way of linking is completly new for the AMIGA at this time (9/95). Stealth.............: The viruses uses normal dos commands (no tunneling via packets) and normal DOS call watchers like SnoopDos can proof the infection behavior. The virus does not restore fileprotect flags and the filedate, so that this can be a proofal for a possible infection. The filelength does not change. No new hunk will be added. Using the RCH technic the virus searches a place where to put it`s own code and crunches the existing data at first. The can`t be found based on a normal offset location search. Armouring...........: The virus uses several armouring techniques to confuse people while debugging this virus: 1. The virus uses double encryption with an polymorphic engine (SPe) 2. The virus is flexible programmed and uses nearly no hardcoded values 3. Write() vector patch uses a polymorphism to cheat some not flexible av-software 4. Polymorphism at entry jump to irritate the av software --------------------- Agents ------------------------------------------- Countermeasures.....: VT 2.77, VW 5.6 Countermeasures successful: All of the above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hannover, Germany 28.9.1995. Classification by...: Markus Schmall, Georg Hoermann and Heiner Schneegold Documentation by....: Markus Schmall Date................: September,28. 1995 Information Source..: Reverse engineering of original virus Special.............: Some parts of this analyse have been shorted/cutted not to show the public too much information about things like RCH and SPe. ===================== End of Cryptic Essence Virus ====================== It`s surprising that the virus seems to be uploaded from the auhtor including FULL source at a dansk AV board. The author included even a little text: -----BEGIN PGP SIGNED MESSAGE----- -=* Cryptic Essence, © 1995 Evil Jesus (maximum false positive) *=- Extra thanks for xxxxxxxx xxxxxxxxx giving some valueable information how to reach maximum damage in essee 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'. It really inspired me to write C.E.! - Generalized infection scheme, virus itself will not use any strings to avoid reinfecting same file. This should make it very hard to detect and also gives possibility to change visible decrypting code. - Random damage, impossible to repair. - Source code is easily modifable to use different packers and crypters. If you are interested about that particular essee you can write to xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. Sins unforgiven, Evil Jesus -----BEGIN PGP SIGNATURE----- Version: 2.6ui (Amiga) iQBFAgUBMFP6ho3j8jX6L7S9AQFwuQF/TruUbFYQ5LwSBOk1SkqUp9R8tycB4m5y bgNZh5X0wVHU9ggx285ZUOdOcM+OeRGS =Mrqg -----END PGP SIGNATURE----- I don`t know, that the virusprogrammer wanted to do with it. The xxx`s are only there to stay CARO conform and not to mention a special pc av freak, which will be mentioned inside the virus, too. VIRUSWORKSHOP WILL ONLY RECOGNIZE THIS VIRUS ON 68020 AND HIGHER SYSTEMS, BASED ON THE CODEEMULATION, WHICH IS SENSELESS ON 68000 ! [Go back]