Entry...............: NeuroticDeath-1 Alias(es)...........: - Virus Strain........: Elbereth Virus detected when.: 1997 where.: - Classification......: Linkvirus, memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: 3400+[40-800] Bytes Uses highly polmorphic engine! 2. Length in RAM: 8192 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release..: 2.04+ till 3.0 Computer model(s)...: 000+ machines --------------------- Attributes --------------------------------------- Easy Identification.: none Type of infection...: Self-identification method in files: - tests ds_ticks in filedate The value changes every 16 days! Self-identification method in memory: - checks for $2f01 in LoadSeg code at offset 0. System infection: - infects following functions: dos/LoadSeg dos/NewLoadSeg exec/DoIO - adds VBlank interrupt server when antivirus is detected in memory to hide itself. Infection preconditions: - File is between 16kB and 286 kB on HDD - File is between 16kB and 32 kB on Floppy - Hunk Code is found - File is not infected already - device is validated - device has 16+ free sectors - filename is without 'v' and 'V' Infection Trigger...: Executing programs Storage media affected: all DOS-devices Interrupts hooked...: None Damage..............: Permanent damage: - uses DoIO patch to destroy random blocks of any device. No salvage possible! Transient damage: - none Damage Trigger......: Permanent damage: - DoIO counter reaches 32 Transient damage: - none Particularities.....: Virus uses highly polymorphic engine called Mtg_2b. Algorythm is static so semi-heuristic detection should be possible. Decoder size varies very much from infection to infection. The virus refuses to work before 24 jan 97. The virus calculates original LoadSeg address, so any other patch is kicked out. This routine doesn't work on OS31+ and causes system crash. Infector skips DEBUG hunks. Similarities........: Link-method is first hunk increasing. Most of the virus engine is equal to all Elbereth viruses. The virus replaces JSR and Bcc instructions with jump to the decoder. Stealth.............: Checks for 'Vir' all task names. Armouring...........: Uses highly polymorphic decoders, which use some anti-reassimebling tricks. File detection requires algorythmic analyse. Comments............: Decoded virus contains VISIBLE text: ---=[ NEurOTiC DEatH ]=--- (c) 1997 Poland Grt's to *Markus*, m/\|) r0GEr !! FIRST IN POLYMORPHIC SERIES !! It is shown sometimes with DisplayAlert. --------------------- Acknowledgement ---------------------------------- Location............: Pawlowice, Poland 8.2001 Classification by...: Zbigniew Trzcionkowski Documentation by....: Zbigniew Trzcionkowski Date................: 8.2001 Information Source..: virus Copyright...........: This documentation is public domain ============= End of Neurotic Death 1 ================================= [Go back]