Ebola 2 Virus

Alias:BBS Traveller Virus
Strain:Ebola Strain
detected when:17.04.1996
where:Germany
Classification:Linkvirus,memory-resident, not reset-resident
Length:1. Length on storage medium: 1536 Bytes 2. Length in RAM: 12000 Bytes

Preconditions

Operating System(s):AMIGA-DOS Version/Release: 2.04 and above (V37+)
Version/Release:
Computer model(s):all models/processors (MC68000-MC68060)
Caroname:Ebola.2

Attributes

Easy identification:none

Type of Infection:

Self-identification method in files: - Searches for $ab1590ef at the end of the first Hunk. (this longword exists in EBOLA-I virus) - Searches for $24121996 at the end of the first hunk (selfrecognition) - Searches for $1080402 at the end of the first hunk (this is the recognition of the Strange Atmosphere linkvirus) Self-identification method in memory: Searches for $3D385E29 at offset -6 from the Dos LoadSeg() function. If $1020304 will be found at this position, the destruction counter will be manipulated (somekind of test for the programmer of this virus ?) System infection: - non RAM resident, infects the following functions: Dos LoadSeg(), Dos ReadARGS(), Exec Findname(), Exec Findtask, Exec SetFunktion() and Exec Addport() Infection preconditions: - File to be infected is bigger then 2600 bytes and smaller then 290000 bytes - Device must have more than 6000 sectors - First hunk contains a $4eaexxxx command in the 16 bit range to the end of the file (test for the first entry) - the file is not already infected (the at long of the end of the hunk) - HUNK_HEADER and HUNK_CODE are found

Infection Technique:
Infection Trigger:Accessing files via LoadSeg() Files starting with "v","V","." or "-" will be NOT infected.
Storage Media affected:all DOS-devices
Interrupts hooked:None
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:Permanent damage: - Formatting the drive Transient damage: - none
Damage Trigger:Permanent damage: - Formatting the drive, when an internal counter reaches 5000. Transient damage: - None
Particularities:The crypt/decrypt routines are partly aware of processor caches. The cryptroutine are non polymorphic and only consists of some logical methods. The virus uses some simple retro technics to stop viruskillers searching for itself.
Similarities:Link-method is comparable to the method invented with the infiltrator-virus. Damage routine is taken from the Strange Atmosphere linkvirus. The virus is a typical mixture from the EBOLA and the Strange Atmosphere linkviruses. We think that all 3 ones come from the same programmer, probably in the east or north of Germany.

Agents

Countermeasures:All of the above
Standard means:-

Acknowledgements

Location:(C) Markus Schmall, Hannover, Germany
Classification by:Markus Schmall and Heiner Schneegold
Documentation by:Markus Schmall
Date:April,19. 1996
Information Source:Reverse engineering of original virus

(c) 1996 Virus-Test-Center, University of Hamburg