Entry...............: H.N.Y.96. / H.N.Y 97 Alias(es)...........: Happy_New_Year_96, Happy_New_Year_97 Known clones........: Aram Doll Virus detected when.: 11/1995 where.: Austria, Germany, Holland, Poland and USA Classification......: Link virus, memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: 540 Bytes 2. Length in RAM: 540 Bytes Happy New Year97 uses Filepart() instead of LoadSeg infection and the static length 628 bytes. All other commands are 100% equal. --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) --------------------- Attributes --------------------------------------- Easy Identification.: Text at the end of the first hunk: "Happy_New_Year_96" Type of infection...: Self-identification method in files: - Searches for $65772059 in the first Hunk. Self-identification method in memory: - Checks for $2f08 in the LoadSeg function System infection: - RAM resident, infects the LoadSeg() code of DOS library Infection preconditions: - device has more than 4 free sectors - file is longer than $960 bytes and shorter than $1e460 bytes - Hunk_Code is found in the area behind the HUNK_ header (NO CHECK FOR RUNAWAYS!!!) - The filename contains this not a "-" and does not contains ".l". This is probably to be secure no to infect a library. - $4e75 is found at the end of the first CODEHUNK or $4e75 is in the last $3f words of this hunk. Infection Trigger...: Accessing the volume Storage media affected: all DOS-devices Interrupts hooked...: LoadSeg() of DOS will be used for the infection code. The routine is a little bit buggy and trashes the a1 register. Damage..............: Permanent damage: - None Transient damage: - None Damage Trigger......: Permanent damage: - None Transient damage: - None Particularities.....: This virus uses no encryption routines to hide it`s code. The LoadSeg() patch isn`t 100% clear and trashes the adress register A1. Similarities........: Link-method is comparable to the Crime series. End of the first hunk will be the loc. for the virus and the last "RTS" will be replaced. Stealth.............: no stealth abilities found Armouring...........: The virus uses only some special adresscommands to confuse the AV people. Installers..........: DemoManiac 2.19 fake (dop-dm1.dms) DeTag0.63 (detag063.lha) --------------------- Agents ------------------------------------------- Countermeasures.....: VT 2.79, VW 5.8 Countermeasures successful: all of the above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: (C) Markus Schmall, Hannover, Germany Classification by...: Markus Schmall Documentation by....: Markus Schmall Date................: November,24. 1995 Information Source..: Reverse engineering of original virus Copyright...........: Markus Schmall, the VTC Uni Hamburg is allowed to use this document in their libraries. SHI is forbidden to use this document in any form. ===================== End of H.N.Y.96. Virus ============================ Notes about the known clones: Aram Doll is a normal linkvirus with 560 byte length. It`s not crypted and uses the LastAlert pointer of Execbase for the selfrecognition in memory. The LoadSeg patch differs a little bit. [Go back]