Entry...............: Illegal Access Alias(es)...........: - VirusStrain........ : - Virus detected when.: 7/1995 where.: USA Classification......: Link virus, memory-resident, reset-resident Length of Virus.....: 1. Length on storage medium: ca.4000 Bytes 2. Length in RAM: 4514 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) (for infection: V39+) Computer model(s)...: all models/processors (MC68000-MC68060) --------------------- Attributes --------------------------------------- Easy Identification.: None Type of infection...: Self-identification method in files: - Searches for $2c780004 in the first Hunk at first position (normal file infection) Self-identification method in memory: - Checks for exception vector 3 (Illegal Opcode) and for $4afc in the OpenLibrary() funtion System infection: - RAM resident, infects the processsor exception vector, modifies 19 different functions, CoolCapture, ColdCapture and post mortem resident handler Infection preconditions: - File to be infected is bigger then $1800 bytes - First hunk isn`t about 4000 bytes long and does not contains $2c780004 at first long in it (for normal file infections) - The file is not already infected - HUNK_HEADER and HUNK_CODE are found - HUNK_HEADER structure is valid - The longword 2-4 of the filename in the info- structure multiplicated in this way: m3*m2, m1*m3 (longword orientated, 68020++ command) must be less then $320000. Otherwise it`s asked, if the filelength is smaller than $32000 (=200kb) Infection Trigger...: Accessing the volume Storage media affected: all DOS-devices Interrupts hooked...: The virus infects the processorexception 3 vector (Illegal Opcode) Damage..............: Permanent damage: - None Transient damage: - none Damage Trigger......: Permanent damage: - None Transient damage: - None Particularities.....: The crypt/decrypt routines are aware of processor caches and cleares them if necessary. This routines are polymorphic and use several tricks like symmetric decoding with memoryusage to make it a little bit more difficult. Some of the routines are equal to routines in the B.E.O.L. virus. The way of creating a new process ("keyboard.device") using the stack is in my eyes comparable. The linking method searches for special filetypes (e.g. libraries and devices) and infects them in a different way. This files will get an additional entry in their HUNK_RELOC32 table containing the original pointer to Library Init(). This library structure makes it impossible to use a kind of intelligent searchcode for the virus. "Brute force" code is needed to search for the resident structure. Similarities........: Link-method in library structured file is like the one of infiltrator-virus (but optimized). Link-method in normal executable files is the IRQ typ (just another hunk) Stealth.............: The viruses uses normal dos commands (no tunneling via packets) and normal DOS call watchers like SnoopDos can proof the infection behavior. The virus restores both, fileprotect flags (including the user id !) and the filedate, so that except of the filelength, no difference can be seen. The exception handler uses a special stealth technique to differ between a normal exception and a self called. It checks up for "4AFC" and , if found, it changes it to "4EF9", so nobody will be able to find the real problem behind. During daily work, the virus does not change in any way the resetvectors from Exec. If a reset is performed, it will shortly init the Coolcapture and ColdCaptures to get resident. At the start of the new system (test for "dos.library") all new initialized coolcapture and coldcaptures will be removed again (-> post mortem handling) Armouring...........: The virus uses several armouring techniques to confuse people while debugging this virus: 1. The virus uses double encryption with an polymorphic engine 2. The virus is self-modifying in several bytes (e.g. $4e71->$4e75) 3. The virus excessively uses the stack for unusual operations like: - creating processes - decrypting - jumps - pointer-replacement - saving structures 4. The virus refuses to run in test-suites and checks if it is running under normal conditions (system-files present) 5. Data-Reuse - the Virus uses several bytes from within code with a completely other meaning, wich makes labeling impossible (Using data from a code area) 6. Access to non equal code blocks as basis offset for further work --------------------- Agents ------------------------------------------- Countermeasures.....: VW5.7 ,VZII1.24 VT 2.77 and VC 7.18 (not libraries) Countermeasuressuccessful: All of the above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hannover, Germany 30.8.1995. Classification by...: Markus Schmall, Georg Hoermann, Heiner Schneegold and Soenke Freitag (VTC) Documentation by....: Markus Schmall Date................: August,30. 1995 Information Source..: Reverse engineering of original virus ============ End of Illegal Access Virus ======================== [Go back]