======= Computer Virus Catalog 1.2: CRIME'92 Virus (31-July-1993) ====== Entry...............: Crime'92 Virus Alias(es)...........: Crime'92 A,B,C,D Virus (different generations of same polymorphic virus) Virus Strain........: --- Virus detected when.: --- where.: --- Classification......: Memory resident Link Virus (Extending),Polymorphic Length of Virus.....: 1.Length: 1800 Byte on storage medium 2.Length: 4028 Byte in RAM --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 1.2/1.3/2.04/3.0 Computer model(s)...: ALL AMIGAs --------------------- Attributes --------------------------------------- Easy Identification.: String "Crime'92" is readable in RAM Type of infection...: Self-Identification methods: Memory: Checks for String "Crime'92" at $204(Coolcapture). Reset resident. Disk: Not really a Self-Identification, but virus won't infect Files with instruction movem d0-d7/a0-a6,-(SP) = $48e7 at specified location. Executable File infection: extending files by 1800 bytes at load time. Preconditions: infection occurs if: 1) Disk is validated ("R"), 2) 8 blocks free on Disk, 3) File length < 102400($19000) Bytes, 4) File can be read into memory, 5) First Hunk is HUNK_HEADER, 6) HUNK_CODE found, 7) MOVEM-opcode ($48e7) is not found, 8) RTS-opcode found in hunk. System infection: RAM- and Reset-Resident. Virus can infect system libraries and almost any file containing executable code matching infection-preconditions, even printer drivers. Vectors hooked up to Kick1.3 (incl.): ColdCapture (exec.library) CoolCapture (exec.library) Wait (exec.library) $2e (dos.library) - Rom-Ptr,private Vectors hooked from Kick2.0 above: CoolCapture (exec.library) Wait (exec.library) LoadSeg (dos.library) NewLoadSeg (dos.library) Infection Trigger...: Running any program from CLI and random condition Storage media affected: All disk-like devices Interrupts hooked...: --- Damage..............: Permanent Damage: Overwriting random sectors Transient Damage: None Transient/Permanent damage: Due to some bugs, virus may produce divide by zero errors on startup of an infected program. During reset, virus overwrites a random memory longword with zero which may cause dead-end resets. Damage Trigger......: Random and counter combination. Particularities.....: Due to self-modifying (polymorphic) code, virus won't run with processor chaches. Polymorphism........: Virus is polymorphic in its encryption routine which makes its detection with simple search- strings impossible; presently, no antivirus detects Crime'92 reliably! Virus may only be detected reliably with algorithmic methods. Several reported "variants" of Crime'92 (A-D) are just different polymorphic generations. Similarities........: --- --------------------- Agents ------------------------------------------ Countermeasures.....: VT2.55 Countermeasures successful: No Virus-Checker detects all generations of this Virus (status: July 1993). Update: VT2.55 detects most(all?) variants (we sent all generated variants to the author) Standard means......: Boot from clean diskette and overwrite all sus- picious executables with original clean ones. --------------------- Acknowledgement ---------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Soenke Freitag Documentation by....: Soenke Freitag Date................: 31-July-1993 Information Source..: H.Schneegold, SHI, Reverse-analysis of virus code =%3d%3d%3d%3d%3d%3d%3d%3d%3d%3d%3d%3d%3d%3d%3d%3d%3d%3d%3d%3d.html End of Crime'92 Virus ============================ [Go back]