| Alias: | Next Generation from Lamer-Exterminator |
| Strain: | IRQ, Lamer |
| detected when: | |
| where: | |
| Classification: | System Virus (BootBlock) and Linkvirus (H.Extending) Reset-R |
| Length: | 1.Length (1024 (Boot),1060 (Link)) on storage medium 2.Length (1060) in RAM |
Preconditions | |
| Operating System(s): | AMIGA-DOS |
| Version/Release: | OS 1.2, 1.3, 2.04, 3.0 |
| Computer model(s): | All Amiga's |
| Caroname: | IRQ.Metamorphosis |
Attributes | |
| Easy identification: | Text in files (readable with HexDump-facilities): 'METAMORPHOSIS V1.0- the next Generation from' ' LAMER-EXTERMINATOR ! ',10 |
Type of Infection: | Self-Identification methods on Disk/Link: Checks for the MET.. string in files Self-Identification methods on Disk/Boot: None (overwrites any bootblock) Self-Identification methods in Memory: Checks for hooked OldOpenLib to point at $7xxxx (absolute memory) Executable File infection: Appending codehunk to executeables in c: dir Overwriting Bootblock Ram-Resident Reset-Resident (COOLCAPTURE/COLDCAPTURE) Infection-preconditions/Link: OldOpenLibrary-call More than 2 Files in C: Directory File smaller than 40000 Bytes Disk not write-protected Infection-preconditions/Boot: Read-access on block 0 (DoIo) Disk not write-protected |
| Infection Technique: | |
| Infection Trigger: | Link: Opening "dos.library" Boot: Reading Bootblock |
| Storage Media affected: | All Media |
| Interrupts hooked: | COLDCAP, COOLCAP, DOIO, OLDOPENLIB |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent Damage: Overwriting bootblock Formatting floppys (headstep) Transient Damage: Flashing all disk lights after 13 infections (some kind of warning for the author ???) Transient/Permanent damage: May overwrite block 0 (RDB) of the harddisk due to no check for the device wich calles the DoIo-function. Due to not allocated memory areas the virus may be overwritten by other programs or will itself other programs, wich will probably crash the System. The virus will overwrite its own body on link-infection if the File is larger then 39840 and smaller then 40000 bytes due to a calculation bug. |
| Damage Trigger: | counter, 13, 14 infections |
| Particularities: | Virus copys itself to the absolute address of $7fa80 link / $7fa72 boot Infected files will be loaded at $75e40 absolute |
| Similarities: | Link-Infection-Routine is similar to the IRQ-Virus, Damage similar to Lamer-Viruses |
Agents | |
| Countermeasures: | All |
| Standard means: | VT2.58 |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | S. Freitag |
| Documentation by: | S. Freitag |
| Date: | 14.12.1993 |
| Information Source: | Reverse-analysis of virus-code, Heiner Schneegold |
(c) 1996 Virus-Test-Center, University of Hamburg