Ebola 1 Virus

Strain:Ebola Strain
detected when:9/1995
Classification:Link virus, memory-resident, not reset-resident
Length:1. Length on storage medium: 1116 Bytes 2. Length in RAM: 3300 Bytes


Operating System(s):AMIGA-DOS
Version/Release:2.04 and above (V37+)
Computer model(s):all models/processors (MC68000-MC68060)


Easy identification:none

Type of Infection:

Self-identification method in files: - Searches for $ab1590ef at the end of the first Hunk. Self-identification method in memory: - Checks for $213f at offset -2 of the loadseg() function System infection: - non RAM resident, infects the following functions: Dos LoadSeg(), Exec FindTask() and Exec OpenResource() Infection preconditions: - File to be infected is bigger then 2500 bytes and smaller then 130000 bytes - First hunk contains a $4eaexxxx command in the 16 bit range to the end of the file (test for the first entry) - the file is not already infected (the at long of the end of the hunk) - HUNK_HEADER and HUNK_CODE are found

Infection Technique:
Infection Trigger:Accessing files via LoadSeg()
Storage Media affected:all DOS-devices
Interrupts hooked:None
Encoding Method:
Damage:Permanent damage: - None Transient damage: - none
Damage Trigger:Permanent damage: - None Transient damage: - None
Particularities:The crypt/decrypt routines are partly aware of processor caches. The cryptroutine are non polymorphic and only consists of some logical stuff. The virus uses some simple retro technics to stop viruskillers searching for Draco and possible for the HochOfen (Trabbi) Virus.
Similarities:Link-method is comparable to the method invented with the infiltrator-virus


Countermeasures:All of the above
Standard means:-


Location:(C) Markus Schmall, Hannover, Germany
Classification by:Markus Schmall and Heiner Schneegold
Documentation by:Markus Schmall
Date:September,03. 1995
Information Source:Reverse engineering of original virus

(c) 1996 Virus-Test-Center, University of Hamburg