-----BEGIN PGP SIGNED MESSAGE----- - --------------------- Virus test --------------------------------------- Entry...............: BASTARD (temporary name) Alias(es)...........: - Virus Strain........: Motaba(?) Virus detected when.: 4.2001 where.: internet Classification......: Linkvirus,memory-resident, not reset-resident Length of Virus.....: 1. Length on storage medium: c.a.2100 Bytes (uses polimorphic engine) 2. Length in RAM: 8192 Bytes - --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release..: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) - --------------------- Attributes --------------------------------------- Easy Identification.: none Type of infection...: Self-identification method in files: - checks first byte of first codehunk for $61 (part of jump to viruscode) Self-identification method in memory: - indirectcly the virus is aware of itself: * checks for $-1 in tc_userdata field of every process, this value is stored by exec/TaskWait list scanner, already checked processes are skipped * the try to hack asl.library fails, so memory is freed System infection: - tries to guess paths to runned programs via pr_Homedir and task name. This gives about 2-5 valid filepaths (mainly in WBStartup) to infect. - Tries to hack in memory code of AllocRequest of asl.library with patch that tries to hack VirusCheckerII process (gets via seglist Open call of this killer and patches it!). I don`t know which version(s) author of virus had tested. Infection preconditions: - File is between 2000 and 32000 bytes - Hunk Code is found - File is not infected already - device is validated - device contains free blocks Infection Trigger...: 1. Accessing files via checking them with VirusCheckerII. 2. Direct infection of some runned programs after run of an infected file. Files containing a "l" or "L" or "-" or "V" or "v" will be not infected. Storage media affected: all DOS-devices Interrupts hooked...: None Damage..............: Permanent damage: - Crashes system. Transient damage: - none Damage Trigger......: Permanent damage: - File ENV:mui/spirit.1.prefs exists Transient damage: - none Particularities.....: Polimorphic decrypt routine. The decryptor is 256 bytes long and before it is always: movem.l d0-a6,-(sp) This engine is (for me) a new one, but doesn`t contain enough stuff to prevent "checksum" detecting of the infected files. The truth is even better. We can decode virus using the technic found inside it (the crypter and decrypter are same!). The polimorphic engine always contains one loop, one eor, one move.l 4.w,a6, two lea.l rest are random moveq and shitfs like lsl.l #2,d4 etc. The decrypt algo may vary if in the decrypt loop appear random instruction that changes cryptkey register, I didn't get any crashing example. The virus replaces first longword of the first codehunk with bsr.w to virus code. The original value is restored by decrypted virus code. And the stack will be mainipulated to call the program first and then call the main virus code. Note that there is no detailed check for this long, so every file without $61 at the begin will be infected. This means also that files with reloc instruction in first long will cause guru after infection. New ideas at all. The virus looks excellent compared to Motaba-3 that is supposed to be the base of this viral engine. Direct hacking of things that are ram only is problematic subject and there is incredibly large amount of things that can be hacked in future in the same way. One of these bastards that if run from an icon will not crash with the wellknown GURU 87000004. Thats because of the executing of virus code AFTER program. Similarities........: Link-method is first hunk increasing. The main code is comparable to motaba-3. Length polymorph is same! The change of lenght is depending on 'a' in filepath. The path creator is idea comparable to Antonio and PolishPower viruses. Stealth.............: FindTask must be pointing to $fxxxx or virus will not try to hack VCII. Open must be pointing to $fxxxx or virus will not perfom any action. Write must be pointing to $fxxxx or virus will not perfom any action. Lock must be pointing to $fxxxx or virus will not perform check for ENV:mui/spirit.1.prefs. The virus doesn`t patch ROM library vectors, and the hackings of VC and asl.library are done in quite tricky way. Armouring...........: Polymorphic decryptor is used, length of added code is changing in small range and at the end of the virus is more or less garabage. The virus contains some of the popular tricks like bsr and then increasing sp to mix code with data and some confusing/antidisassembling instructions. Comments............: - - --------------------- Agents ------------------------------------------- Countermeasures.....: - above Standard means......: - - --------------------- Acknowledgement ---------------------------------- Location............: Pawlowice, Poland 4.2001 Classification by...: Zbigniew Trzcionkowski Documentation by....: Zbigniew Trzcionkowski Date................: 4.2001 Information Source..: Virus disassembly and reverse engineering Copyright...........: This documentation is public domain ===================== End of BASTARD =================================== The virus doesn't seem to be able to spread on so many machines, but of course file removals will be ready as soon as possible. What is more important! - ----------------------- Here is the first analyze of that virus. At the moment the range of spreading is unknown, but I heard the installer is an archive with pointers or somthing in this kind. Jan Andersen of VHT-DK is working on it or already finished. - ------------------------------------------------------- bastard.txt file signed by: Charlene md5sum: ftp.vapor.com/pub/3rdparty/ -----BEGIN PGP SIGNATURE----- Version: 2.6.3 Charset: noconv Comment: Signed by Charlene, using PGPAmiga iQCVAwUBQ50lBPrh//oWbqdVAQEDUwP8Dl/CQjx00oBwMr5/QYP78vc2VZTYMCxV 39tt06eaXz6cbiXIDmlLJ+t5PVBM3P0ptCUJbXiMT384ZCZsNahExN60WVfKMWt0 IElHokFe4TynACjwasC9TagqOoh8f1KbUUnV0FHzgpGD3nw2hcX2+vpn9u+U6htz Jlt8ArirhGk= =eYVX -----END PGP SIGNATURE-----