Entry...............: Phantom Linkvirus Alias(es)...........: Super-Nova Virus Strain........: - Virus detected when.: 11/1995 where.: Germany Classification......: Link virus, memory-resident Length of Virus.....: 1. Length on storage medium: ca.688 Bytes 2. Length in RAM: 688 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) --------------------- Attributes --------------------------------------- Easy Identification.: None Type of infection...: Self-identification method in files: - Searches for $83ef19acin the first Hunk at last position (normal file infection) Self-identification method in memory: - Checks for a longword in the LoadSeg routine ($42a449fa) System infection: - RAM resident, infects the DOS Call LoadSeg() Infection preconditions: - File to be infected is bigger then 4000 bytes and smaller than $2e630 bytes - First hunk is a code hunk - File is executable - First hunk has no reloc linked behind - First hunk ends not with $83ef19ac Infection Trigger...: Accessing the volume via LoadSeg (patched) Storage media affected: all DOS-devices Interrupts hooked...: none Damage..............: Permanent damage: - None Transient damage: - none Damage Trigger......: Permanent damage: - None Transient damage: - None Particularities.....: The crypt/decrypt routines are aware of processor caches. Similarities........: Link-method in library structured file is like the one of the Commander virus (without bsr changes!) Stealth.............: The viruses uses normal dos commands (no tunneling via packets) and normal DOS call watchers like SnoopDos can proof the infection behavior. The virus uses no stealth weapons. The only things is it`s size. 688 bytes difference in files don`t wake up the user so fast. Armouring...........: The virus uses only 2 weapons: 1. The virus uses a cryptroutine to hide it`s code. 2. The virusname is hidden in a block, which will be normally never accessed. Just decrease the values by 1 and you will see the text "let`s go again... PHANTOM" Comments............: This file was sent to the dansk SHI leader from a german guy. It was send to him as a new viruskiller. This happened months (years?) ago and now (11/95) the virus appeared again. In reality this is just a modified old version of VMK with an installer linked before. The installer is timebased. (In the BX-News.Guide in the chapter Super-Nove you can find some more information, how the virus reached SHI). --------------------- Agents ------------------------------------------- Countermeasures.....: VW5.7, BootX 5.23B with Recog 2.25 (only the installer) ? Countermeasures successful: All of the above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hannover, Germany 05.11.1995. Classification by...: Markus Schmall Documentation by....: Markus Schmall Date................: October,05. 1995 Information Source..: Reverse engineering of original virus Copyright...........: Markus Schmall, Virus Test Center Uni Hamburg has the permission to use this analyse in their catalog. SHI is not allowed to use this document in ANY way. ===================== End of Phantom Virus ============================ [Go back]