Entry...............: Invader Alias(es)...........: Silesian Virus Virus Strain........: - Virus detected when.: 1/1996 where.: Poland Classification......: Link virus, memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: 1200+(0..72) Bytes 2. Length in RAM: $19000 or $d6b0 Bytes (depends on the returncode of availmem() ) --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) The virus has problems with caches of all kind. --------------------- Attributes --------------------------------------- Easy Identification.: None Type of infection...: Self-identification method in files: - None Self-identification method in memory: - Checks for a word in the Dos Open() function System infection: - RAM resident, infects the followind DOS functions - Open() - Rename() - Lock() - LoadSeg() - NewLoadSeg() - SetComment() - SetProtection() Infection preconditions: - File is executable Please note, that there is no check for a CODE hunk or such things. The virus loads the to be infected file, but forgets to do a real length check. It seems as the virus cuts file just as it wants to. Example: (Memoryalloaction is $19000) Infecttry of xyz (=$2a000 bytes) The infected file will be $19000+$4b0+0..72 bytes long and not repairable anymore. Infection Trigger...: Accessing the volume Storage media affected: all DOS-devices Interrupts hooked...: No interrupts used Damage..............: Permanent damage: - Damages files, adds bytes, copies blocks. Transient damage: - The Virus writes a file with the name "===README===" on the ramdisk. It contains some text like "Get me you lamer..." etc. Damage Trigger......: Permanent damage: - Overwriting file contents in several places, especially, when the files have more hunks. Transient damage: - Infection-Counter Particularities.....: The memoryallocation operations are not cache- proof and should make a lot of problems. The code isn`t that professional written, the patch- routines are very simply made. One important counter is behind the first hunk, which isn`t that clever. The data behind the first hunk can be damaged in a serious way. Similarities........: Link-method is like the one of infiltrator-virus. Some ideas behind (search for DH0 and then try to infect dh0:c/loadwb first) look like stolen from the Commander linkvirus. The change of the last command in the to be infected hunk is a little bit buggy. Under circumstances the last word in the hunk will be changed, even if there is another important information in it. The "RTS" locater doesn`t look only for the last "RTS", it really looks for all "RTS" in the STEP range. Stealth.............: No stealth abilities at all. All can be seen on the SnoopDos screen. Armouring...........: No special armouring found in this virus.It just uses somekind of encryption(depending on $dff006) for it`s code, which is static. --------------------- Agents ------------------------------------------- Countermeasures.....: VW 5.9, VT 2.80 (?) Countermeasures successful: All of the above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: (C) Hannover, Germany Classification by...: Markus Schmall and Heiner Schneegold Documentation by....: Markus Schmall Date................: January, 16.01.1996. Information Source..: Reverse engineering of original virus Copyright...........: This document isn`t allowed to be used in any form without my permission. It`s hereby allowed for VTC Hamburg and Virus Help Team DK to use it. ===================== End of Invader Virus ============================ [Go back]