| Alias: | Mount-972 |
| Strain: | |
| detected when: | 7/1995 |
| where: | Austria |
| Classification: | Link virus, memory-resident, not reset-resident |
| Length: | 1. Length on storage medium: 972 Bytes 2. Length in RAM: 972 Bytes |
Preconditions | |
| Operating System(s): | AMIGA-DOS |
| Version/Release: | 2.04 and above (V37+) |
| Computer model(s): | all models/processors (MC68000-MC68040) |
| Caroname: | BEOL |
Attributes | |
| Easy identification: | None |
Type of Infection: | Self-identification method in files: - Searches for -$17 in the first Hunk. Self-identification method in memory: - Checks for -$17 in the (private) lastalert entry in the execbase. System infection: - RAM resident, infects the launch code of volume tasks (of course this is system- private code) Infection preconditions: - File to be infected is smaller than 192K - The name of the Volume doesn't contain "MS" at position 3 and 4 (backdoor of the virus- programmer!) ("MS" can be spelled in any case) - The file is not already infected ($-17 found) - HUNK_HEADER and HUNK_CODE are found - JSR in Word-length to virus-start is found in the codehunk. The codshunk must have a JSR in the last $7fff instructions. - There are 8 blocks free on the volume - Existence of a ".backdrop" file in the root of this volume or existance of c/mount on the volume. |
| Infection Technique: | |
| Infection Trigger: | Accessing the volume |
| Storage Media affected: | all DOS-devices |
| Interrupts hooked: | The virus infects the launch routine of volume tasks. Due to that it gets control every time a volume is accessed. The launch code is an normally unused feature of tasks wich can contain special initialisation code. |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent damage: - None Transient damage: - The Virus writes a file with the name "README" on the disk. This file contains the following text: "B.E.O.L. 1995! Don't be angry!!" The length of this file is 1152 bytes. |
| Damage Trigger: | Permanent damage: - None Transient damage: - Infection-Counter |
| Particularities: | The crypt/decrypt routines are aware of processor caches and cleares them if necessary. If the Launch routine gets control the virus creates a kind of infection process. This process is completely re-entrant so that this virus can infect several files and volumes simultaneously. The virus is programmed very effective, the author uses excessively V37+ functions and unusual coding methods. Anyway the programmer left some tracks behind - "MS" in the volume name, and the magic number of -$17 =-23 used for several purposes should make it possible to find the author. I think only a dozend people worldwide can program like this. The linking method is very poor compared to the other functions in this virus - it recognises very few filetypes. Maybe this virus is only a test-baloon. |
| Similarities: | Link-method is like the one of infiltrator-virus |
Agents | |
| Countermeasures: | All of the above |
| Standard means: | - |
Acknowledgements | |
| Location: | (C) Virus Test Center, University Hamburg, Germany |
| Classification by: | S. Freitag, Markus Schmall, Karim Senoucci |
| Documentation by: | S. Freitag |
| Date: | August,21. 1995 |
| Information Source: | Reverse engineering of original virus |
(c) 1996 Virus-Test-Center, University of Hamburg