VTek22 Linkvirus and it`s installer:
------------------------------------
Around March 1995 there was a new version of VTek22 found, which
has some inner changes and increases the file with another length.
Warning ! In the file "viewtek22.lha" there is a new linkvirus !
The virus was uploaded to a box in Hannover around 24.08.1994. We
got around 29.08.1994. the first phonecalls concerning this virus
and spreaded short warning texts in Hannover and some days later
a warning appeared in the german Z-Netz. The description of this
archive says that it contains a new update of the wellknown viewtek
programm by tek. If you depack the whole archive, you will find a
guidefile and the viewtek mainfile. The mainfile is 93844 bytes long
and contains the installer for the new linkvirus.
The virus itself is located in the second hunk. The first hunk is
848 bytes long and contains some crazy texts:
'dos.library'
'S:HauptPfad'
'User/SysOp/UserDaten'
'BoxDaten/BoxParameter'
'User/xxxxxxxx/.INDEX'
'User/xxxxxxxx/.TXT'
'Absender : KFUserCheck'
'Betreff : Bitte lesen >NEUERUSER.TXT<'
'Datum : 10.08.1994'
'Uhrzeit : 20:50:58'
'Bytes : 1024'
'Empfänger : xxxxxxxx'
'09.08.1994 23.45.16 1 Asc SYSop'
'Neueintraege'
The archiv contains only one mailbox advertisement from a box
in Hannover. I meet the sysop of this box and got the
name from the uploader of the file. The username is xxxxxxxx.
(The same as in the ASCII text of the installer).
The installer is a modified viewtek 2.1.378 version dated
17.02.1994. In my opinion the first hunk is something like
a FASTCALL hacking system, which is maybe able to modify userdata
and some other boxparameters. It`s possible that this file was
not uploaded by xxxxxx, but by somebody else and the sysop of this
board activated this virus and the userdata etc. were completely
changed.
But now to the exact description of this virus:
-----------------------------------------------
Linkmethod: adds a new hunk to the file ($3ed longwords=Typ A)
($462 longwords=Typ B)
Increases filelength by: 4036 bytes (Typ A)
4504 bytes (Typ B)
Kickstart version required: KS V37.xx or higher
The virus itself is not resident and creates only a new process.
The nodeentry will be in the way changed, that the nl_type flag
says that it is a task. The process has always the same name:
"trackdisk.device" and has the same priority as a normal trackdisk.-
device task. Many parts of this virus are crypted. The crypt-
routines are static, no polymorph or in other way "intelligent"
cryptparts could be found. The DOS routines are quite clever. There
are no direct DOS jsr`s (e.g. jsr -36(a6), to close a file). This
routines a hidden or in other words another technic will be used
for it (global). Due to this special effect, all DOS function scanning
programms like SpyDos, HackDos or SnoopDos will be cheated and no
output is made by this programms.
The virus only links itself on other files, if the following
conditions are true:
-more than 9 sectors free
-device must be validated
-no file longer than 143360 bytes will be infected
-file must be executable
-filename is one of the following:
c:zoo , c:shrink , c:iprefs , c:mount , c:dms , c:setpatch,
c:version, c:lharc, c:arc, c:fastgif, c:vt, c:show, c:ppshow,
c:ed, c:iconx
This virus contains many cryptroutines, which are not used as far
as I can see up to now. A displayroutine or something like a text-
writer seems to be not in the virus. The virus contains a crypted
block, maybe this block contains a name for this little bastard.
We are working on it...
The virus contains a routine, which manipulates the controll-
register B from CIA-B and the controllregister for the synchro-
nisation from the blitter with the screen. I don`t know exactly
what this will affect exactly.
The hunk routine recognizes the following hunks: $3ec and $3eb.
I expect some problems with programms with some other special
hunks. VIRUSWORKSHOP 4.1 will be able to remove this virus and
the infected programms will be working, even if they were not
working, when they were infected.
The way of manipulating the hunks is quite similar to the method,
which the Burn Viruses use.
Detection tested 05.09.1994.
Test by Markus Schmall Detection of Typ B tested 20.3.1995.
[Go back]