| Alias: | Silesian Virus |
| Strain: | |
| detected when: | 1/1996 |
| where: | Poland |
| Classification: | Link virus, memory-resident, not reset-resident |
| Length: | 1. Length on storage medium: 1200+(0..72) Bytes 2. Length in RAM: $19000 or $d6b0 Bytes (depends on the returncode of availmem() ) |
Preconditions | |
| Operating System(s): | AMIGA-DOS |
| Version/Release: | 2.04 and above (V37+) |
| Computer model(s): | all models/processors (MC68000-MC68060) The virus has proble |
| Caroname: | Invader |
Attributes | |
| Easy identification: | None |
Type of Infection: | Self-identification method in files: - None Self-identification method in memory: - Checks for a word in the Dos Open() function System infection: - RAM resident, infects the followind DOS functions - Open() - Rename() - Lock() - LoadSeg() - NewLoadSeg() - SetComment() - SetProtection() Infection preconditions: - File is executable Please note, that there is no check for a CODE hunk or such things. The virus loads the to be infected file, but forgets to do a real length check. It seems as the virus cuts file just as it wants to. Example: (Memoryalloaction is $19000) Infecttry of xyz (=$2a000 bytes) The infected file will be $19000+$4b0+0..72 bytes long and not repairable anymore. |
| Infection Technique: | |
| Infection Trigger: | Accessing the volume |
| Storage Media affected: | all DOS-devices |
| Interrupts hooked: | No interrupts used |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent damage: - None Transient damage: - The Virus writes a file with the name "===README===" on the ramdisk. It contains some text like "Get me you lamer..." etc. |
| Damage Trigger: | Permanent damage: - Overwriting file contents in several places, especially, when the files have more hunks. Transient damage: - Infection-Counter |
| Particularities: | The memory allocation operations are not cache- proof and could cause a lot of problems. The code isn't that professional written, the patch- routines are very simply made. One important counter is behind the first hunk, which isn't that clever. The data behind the first hunk can be damaged in a serious way. |
| Similarities: | Link-method is like the one of infiltrator-virus. Some ideas behind (search for DH0 and then try to infect dh0:c/loadwb first) look like stolen from the Commander linkvirus. The change of the last command in the to be infected hunk is a little bit buggy. Under circumstances the last word in the hunk will be changed, even if there is another important information in it. The "RTS" locater doesn't look only for the last "RTS", it really looks for all "RTS" in the STEP range. |
Agents | |
| Countermeasures: | All of the above |
| Standard means: | - |
Acknowledgements | |
| Location: | (C) Markus Schmall, Hannover, Germany |
| Classification by: | Markus Schmall and Heiner Schneegold |
| Documentation by: | Markus Schmall |
| Date: | January, 16.1996 |
| Information Source: | Reverse engineering of original virus |
(c) 1996 Virus-Test-Center, University of Hamburg