VTek22 Linkvirus and it`s installer: ------------------------------------ Around March 1995 there was a new version of VTek22 found, which has some inner changes and increases the file with another length. Warning ! In the file "viewtek22.lha" there is a new linkvirus ! The virus was uploaded to a box in Hannover around 24.08.1994. We got around 29.08.1994. the first phonecalls concerning this virus and spreaded short warning texts in Hannover and some days later a warning appeared in the german Z-Netz. The description of this archive says that it contains a new update of the wellknown viewtek programm by tek. If you depack the whole archive, you will find a guidefile and the viewtek mainfile. The mainfile is 93844 bytes long and contains the installer for the new linkvirus. The virus itself is located in the second hunk. The first hunk is 848 bytes long and contains some crazy texts: 'dos.library' 'S:HauptPfad' 'User/SysOp/UserDaten' 'BoxDaten/BoxParameter' 'User/xxxxxxxx/.INDEX' 'User/xxxxxxxx/.TXT' 'Absender : KFUserCheck' 'Betreff : Bitte lesen >NEUERUSER.TXT<' 'Datum : 10.08.1994' 'Uhrzeit : 20:50:58' 'Bytes : 1024' 'Empfänger : xxxxxxxx' '09.08.1994 23.45.16 1 Asc SYSop' 'Neueintraege' The archiv contains only one mailbox advertisement from a box in Hannover. I meet the sysop of this box and got the name from the uploader of the file. The username is xxxxxxxx. (The same as in the ASCII text of the installer). The installer is a modified viewtek 2.1.378 version dated 17.02.1994. In my opinion the first hunk is something like a FASTCALL hacking system, which is maybe able to modify userdata and some other boxparameters. It`s possible that this file was not uploaded by xxxxxx, but by somebody else and the sysop of this board activated this virus and the userdata etc. were completely changed. But now to the exact description of this virus: ----------------------------------------------- Linkmethod: adds a new hunk to the file ($3ed longwords=Typ A) ($462 longwords=Typ B) Increases filelength by: 4036 bytes (Typ A) 4504 bytes (Typ B) Kickstart version required: KS V37.xx or higher The virus itself is not resident and creates only a new process. The nodeentry will be in the way changed, that the nl_type flag says that it is a task. The process has always the same name: "trackdisk.device" and has the same priority as a normal trackdisk.- device task. Many parts of this virus are crypted. The crypt- routines are static, no polymorph or in other way "intelligent" cryptparts could be found. The DOS routines are quite clever. There are no direct DOS jsr`s (e.g. jsr -36(a6), to close a file). This routines a hidden or in other words another technic will be used for it (global). Due to this special effect, all DOS function scanning programms like SpyDos, HackDos or SnoopDos will be cheated and no output is made by this programms. The virus only links itself on other files, if the following conditions are true: -more than 9 sectors free -device must be validated -no file longer than 143360 bytes will be infected -file must be executable -filename is one of the following: c:zoo , c:shrink , c:iprefs , c:mount , c:dms , c:setpatch, c:version, c:lharc, c:arc, c:fastgif, c:vt, c:show, c:ppshow, c:ed, c:iconx This virus contains many cryptroutines, which are not used as far as I can see up to now. A displayroutine or something like a text- writer seems to be not in the virus. The virus contains a crypted block, maybe this block contains a name for this little bastard. We are working on it... The virus contains a routine, which manipulates the controll- register B from CIA-B and the controllregister for the synchro- nisation from the blitter with the screen. I don`t know exactly what this will affect exactly. The hunk routine recognizes the following hunks: $3ec and $3eb. I expect some problems with programms with some other special hunks. VIRUSWORKSHOP 4.1 will be able to remove this virus and the infected programms will be working, even if they were not working, when they were infected. The way of manipulating the hunks is quite similar to the method, which the Burn Viruses use. Detection tested 05.09.1994. Test by Markus Schmall Detection of Typ B tested 20.3.1995. [Go back]