Entry...............: Smeg Alias(es)...........: - Virus Strain........: - Virus detected when.: 19 September 1996 where.: Belgium and France Classification......: Linkvirus,memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: 1900 Bytes (uses a very simple engine) 2. Length in RAM: 2800 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04+ (V37-V40) Computer model(s)...: all models/processors (MC68000-MC68060) --------------------- Attributes --------------------------------------- Easy Identification.: - Type of infection...: Self-identification method in files: - uses a bug in BSTR routine from filecomment() for the stealth routine Self-identification method in memory: - checks a special area from the TaskWait list System infection: - A new task will be set up with the name of the last found library in the list. For the taskname there are 4 bytes reserved, but due to a programming bug, even longer names can be created (e.g. keymap) - All devices with inserted volumes will be infected and a new taskcode will be inserted. The first parts of the code look like a BEOL code, but the rest is different. Infection preconditions: - HUNK_HEADER is found - HUNK_CODE is found - device is validated - 10 free sectors - filename does not start with "Vir" - file is bigger than 8000 bytes - file is smaller than 131072 bytes Infection Trigger...: The infection is based on the packet handling system of AMIGA OS. Every started file will be infected. All synchron dos commands are affected. Storage media affected: all DOS-devices Interrupts hooked...: None Damage..............: Permanent damage: - none Transient damage: - none Damage Trigger......: Permanent damage: - none Transient damage: - infecting a file Particularities.....: The crypt/decrypt routines are aware of processor caches. The cryptroutine is a simple polymorphic decryptor and consists of some static logical stuff. The packet handling works in even on the new developer OS versions. The virus tunnels doscall watcher like SnoopDos etc. by using only lowlevel packet routines. If the accessed file starts with the string "VIR" (doesn`t depend on big or small letters), the file will be not infected. Similarities........: The link method is the normal "hunk 1 add" method invented by IRQ Team V41. The way of infecting the system is comparable to the first both BEOL linkviruses. The entry jump calculation is an advanced "JSR" search system (with easy bugs). Stealth.............: No stealth engine Armouring...........: The virus uses a static decryption block for its code and only the cryptvalues differ. The known Resource has some problems to resolve some entry points. IRA and D68k have no problems with that. Comments............: At the end of the crypted block you can read: 'Smeg! It''s a Hostile TakeOver!' '(Better call Markus!)' It differs to other known packet linkviruses in the point that the control will be made via AllocDosObj. VirusWorkshop deactivates the memorycode from the virus and stops the infection by patching some values directly in the code. After removed all viruses, please reset, as the patch has to be removed 100%. --------------------- Agents ------------------------------------------- Countermeasures.....: VW 6.3 above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hannover, Germany 22.09.1996. Classification by...: Markus Schmall Documentation by....: Markus Schmall (C) Date................: Sep, 22. 1996 Information Source..: Reverse engineering of original virus Copyright...........: This document is copyrighted and may be not used in any SHI publication ===================== End of Smeg Virus ========================= [Go back]