| Alias: | Klein Virus |
| Strain: | |
| detected when: | |
| where: | |
| Classification: | Linkvirus, Extending, not reset-resident |
| Length: | 1.Length (1052) on storage medium 2.Length (1752) in RAM |
Preconditions | |
| Operating System(s): | AMIGA-DOS |
| Version/Release: | OS > 1.3 |
| Computer model(s): | All Amiga's without CPU-Cache |
| Caroname: | Infiltrator.Original |
Attributes | |
| Easy identification: | - |
Type of Infection: | Self-Identification method on disk: Checking branch command at first codehunk of infected File Self-Identification method in memory: Checking for a matchword ('1992') at hooked- vector location -10 Executable File infection: Extending first codehunk by 1052 bytes Memory-resident, hooking DOS-LOADSEG-Vector Not reset-resident Infection preconditions: Disk valid 8 spare blocks free Codehunk - Size <= 32752 Memory for infection available HUNK_HEADER found HUNK_CODE found HUNK_RELOC32 found JMP or JSR is not the first command in the Codehunk Original-Code is overwritten - but will be restored and executed (virus restores the original file, so that integrity-checks of the executeable itself probably will fail) |
| Infection Technique: | |
| Infection Trigger: | Executing file |
| Storage Media affected: | All media |
| Interrupts hooked: | DOS-VEC LOADSEG |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient Damage: None Permanent Damage: Virus sets sysop-state to an user in the USER.DATA file (containing the Userlist of a BBS - System after a special crc-check on the user name. (Maybe it is possible to find the virus-author with this informations.) Transient/Permanent damage: Multiple Infections possible. Some files won't run after infection. |
| Damage Trigger: | Executing (infected) file, using LOADSEG (not NEWLOADSEG !) |
| Particularities: | Virus is encrypted with random Value from raster-beam. Virus contains an encrypted string: 'Howdy hacker! This is The Infiltrator! Smart' ' people with knowledge about this code can d' 'o ALOT of damage, belive me! ',0,0 (not displayed) Virus performs a zeropage-check wich will cause an Enforcer hit (if you run Enforcer). Virus is able to reset the protection-flags of executeables to writeable. |
| Similarities: | - |
Agents | |
| Countermeasures: | All |
| Standard means: | VT2.58 |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | S. Freitag |
| Documentation by: | S. Freitag, Karim Senoucci |
| Date: | 14.12.1993 |
| Information Source: | Reverse-analysis of Virus-Code, Heiner-Schneegold |
(c) 1996 Virus-Test-Center, University of Hamburg