======== Computer Virus Catalog 2.0: Metamorphosis (14.12.1993) ======== Entry...............: Metamorphosis Alias(es)...........: Next Generation from Lamer-Exterminator Virus Strain........: IRQ, Lamer detected when.: where.: Classification......: System Virus (BootBlock) and Linkvirus (Extending) Length of Virus.....: 1.Length (1024(Boot),1060(Link)) on storage medium 2.Length (1060) in RAM --------------------- Preconditions ------------------------------------- Operating System(s).: AMIGA-DOS Version/Release.....: OS 1.2, 1.3, 2.04, 3.0 Computer model(s)...: All Amiga's --------------------- Attributes ---------------------------------------- Easy identification.: Text in files (readable with HexDump-facilities): 'METAMORPHOSIS V1.0- the next Generation from' ' LAMER-EXTERMINATOR ! ',10 Type of Infection...: Self-Identification methods on Disk/Link: Checks for the MET.. string in files Self-Identification methods on Disk/Boot: None (overwrites any bootblock) Self-Identification methods in Memory: Checks for hooked OldOpenLib to point at $7xxxx (absolute memory) Executable File infection: Appending codehunk to executeables in c: dir Overwriting Bootblock Ram-Resident Reset-Resident (COOLCAPTURE/COLDCAPTURE) Infection-preconditions/Link: OldOpenLibrary-call More than 2 Files in C: Directory File smaller than 40000 Bytes Disk not write-protected Infection-preconditions/Boot: Read-access on block 0 (DoIo) Disk not write-protected Infection Trigger...: Link: Opening "dos.library" Boot: Reading Bootblock Storage Media affec.: All Media Systemcalls hooked..: COLDCAP, COOLCAP, DOIO, OLDOPENLIB Stealth.............: Tunneling/Selfprot..: Oligo/Polymorphism..: Encoding Method.....: Damage..............: Permanent Damage: Overwriting bootblock Formatting floppys (headstep) Transient Damage: Flashing all disk lights after 13 infections (some kind of warning for the author ???) Transient/Permanent damage: May overwrite block 0 (RDB) of the harddisk due to no check for the device wich calles the DoIo-function. Due to not allocated memory areas the virus may be overwritten by other programs or will itself other programs, wich will probably crash the System. The virus will overwrite its own body on link-infection if the File is larger then 39840 and smaller then 40000 bytes due to a calculation bug. Damage Trigger......: counter, 13, 14 infections Particularities.....: Virus copys itself to the absolute address of $7fa80 link / $7fa72 boot Infected files will be loaded at $75e40 absolute Similarities........: Link-Infection-Routine is similar to the IRQ-Virus, Damage similar to Lamer-Viruses --------------------- Agents -------------------------------------------- Countermeasures.....: All Standard means......: VT2.58 --------------------- Acknowledgements ---------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Soenke Freitag Documentation by....: Soenke Freitag Date................: 14.12.1993 Information Source..: Reverse-analysis of virus-code, Heiner Schneegold ========================= End of Metamorphosis ========================== [Go back]