| Alias: | Jack 2 Virus |
| Strain: | Traveling Jack Virus Strain |
| detected when: | 1991 |
| where: | |
| Classification: | Linkvirus (Extending), Not Resident, variable self-encryptio |
| Length: | 1.Length on medium: variable, at least 2428 Bytes 2.Length in RAM: $97c=2428 Bytes |
Preconditions | |
| Operating System(s): | AMIGA-DOS |
| Version/Release: | 1.2/1.3/2.04 |
| Computer model(s): | A500,A500+,A1000,A2000,A2500,A3000 |
| Caroname: | Traveling_Jack.2 |
Attributes | |
| Easy identification: | Text in file "VIRUS.XX" (where XX are random numbers created through event counter in CIA-A) in root-directorys: "The Traveling Jack....",$A,$A,$D "I'm traveling from town to town looking for r" "espect,",$A,$D "and all the girls I could lay down make me go " "erect.",$A,$A,$D " -Jack, 21st of " "September 1990",0 Length of File in root-directory: 198 bytes. Sometimes generates Write-Protect requester. |
Type of Infection: | Self-Identification methods: Checks for $4cfa6400 (=movem.l (PC)+,a2/a5/a6) at DOS-Library ROM-Call-pointer Infection: -$20(DOS-Library node) (=pointer to dos.library ROM-calls=dosbase+$2e) File Infection: Extends files by at least 2368 bytes (+ random value from rasterbeam- register) Cant handle following file (hunk)-types (skips): HUNK_OVERLAY, HUNK_BREAK, HUNK_RELOC8 Infection starts if the following conditions hold: - Random (rasterbeam) matches comparevalue (see below) - DOS,0 Disk (old filesystem) - Disk validated - Path to the file is smaller than 38 chars - Virus is able to allocate 8000+280 bytes in memory - File is executeable - File is larger than 2000 Bytes - Last 4 chars of filenameare in (a-z,A-Z) - Last 4 chars of fn. are not "INFO" (UPPER/LOWECASE) - Filename is longer than 4 chars - File does not consist of one of the above hunk-types - File is writeable. |
| Infection Technique: | |
| Infection Trigger: | Random (VPOS,VHPOS=$dff004) |
| Storage Media affected: | |
| Interrupts hooked: | --- |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent Damage: Writes files "VIRUS.XX" into the current rootdirectory of ANY disk Transient/Permanent damage: Potentially some files won't run after infection (due to hunk-check- routines) |
| Damage Trigger: | random ($dff004.l and #$1ff) < $80 -> infection > $b0 < $e0 -> damage |
| Particularities: | Jack 2=Jack 1 + code routine for the infection/ damage routine + texts Virus checks at adress $ffffffe8 for #$fdfe6c48 and doesnot install itself if this value is found. On normal Systems this adress is a ROM- adress at $ffffe8, on turbo-32-bit Amigas this could be a RAM-adress. Virus is encrypted and modifies its encryption routine code every new generation. Some Virus code is encrypted in RAM and will only be decrypted when executed. |
| Similarities: | --- |
Agents | |
| Countermeasures: | vt2.48,virusz,vc6.03,avm0.237 |
| Standard means: | vt2.48 |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, Germany |
| Classification by: | S. Freitag |
| Documentation by: | S. Freitag |
| Date: | 18-January-1993 |
| Information Source: | Reverse-Engineering of Virus Code |
(c) 1996 Virus-Test-Center, University of Hamburg