Entry...............: Elbereth1 Alias(es)...........: - Virus Strain........: Elbereth Virus detected when.: 1996 where.: Poland Classification......: Linkvirus,memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: 936 Bytes (uses polimorphic engine) 2. Length in RAM: 2048 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release..: 2.0+ Computer model(s)...: all models/processors (MC68000-MC68060) --------------------- Attributes --------------------------------------- Easy Identification.: none Type of infection...: Self-identification method in files: - $4eba or $6100 as the first word of first code hunk Self-identification method in memory: - checks for $2f01 of first word of LoadSeg System infection: - patches LoadSeg and Open File infection: Lenght of the first code hunk will be increased. First longword is replaced with jump to virus code. Infection preconditions: - Hunk Code is found and is smaller than $1ffff*4 - The first word isn't $4ef9 or $4eb9 - File is not infected already - device is validated - device contains free blocks Infection Trigger...: Starting programs. Files containing "V" or "v" will be not infected. Storage media affected: all DOS-devices Interrupts hooked...: None Damage..............: Permanent damage: - an alert will be shown and then reboot will be performed - data files will be mixed with 'swap d1' loop (repairable at all) Transient damage: - none Damage Trigger......: Permanent damage: - after 20.00 o'clock - value in $dff007 is smaller than $32 Transient damage: - none Particularities.....: none Similarities........: Link-method is first hunk increasing. Stealth.............: none Armouring...........: Classic crypter. Comments............: The virus contains the string: '»» Elbereth! «« © 1996 Poland' This is also the alert text. --------------------- Acknowledgement ---------------------------------- Location............: Pawlowice, Poland 28.2.2001 Classification by...: Zbigniew Trzcionkowski Documentation by....: Zbigniew Trzcionkowski Date................: 28.2.2001 Information Source..: virus Copyright...........: This documentation is public domain ===================== End of Elbereth1 ================================= [Go back]