| Alias: | --- |
| Strain: | --- |
| detected when: | 1988? |
| where: | FR Germany |
| Classification: | Program Virus (Extending V.) |
| Length: | 1414 Byte |
Preconditions | |
| Operating System(s): | ATARI-TOS |
| Version/Release: | All versions |
| Computer model(s): | All types of the Atari ST Series |
| Caroname: | Zimmermann |
Attributes | |
| Easy identification: | Infected System: The virus checks if the Trap 1- vector points to a certain byte-sequence. Infected programs are recognized by enlargement of the file length and by typical virus specific code. |
Type of Infection: | Program virus: the virus code is appended at the end of the program; the loader table is adjusted. |
| Infection Technique: | |
| Infection Trigger: | Every time when a program is executed. |
| Storage Media affected: | |
| Interrupts hooked: | VBL-Interupt for time control. Trap #1 to control program start. |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent Damage: the virus only infects files with extensions PRG, TTP and TOS in the current directory on drives A and B. The program's startup-time is considerably increased. |
| Damage Trigger: | --- |
| Particularities: | After installation in the system, the virus is distributed every time a program is started from disk A or B. Approximately 30 minutes after the installation, the virus generates a file, 50 bytes long, with an unusual name consisting of special characters: "@^#%& .(-: ". The file is read- only and contains the following text: ";-) As MAD Zimmermann will be watching you )-;" The characters at the ends of the line can be regarded as a happy face on the left and a sad face on the right side; probably kind of ASCII- comic with political background: F.Zimmermann is a well-known conservative politician in FRG, and a strong opponent of privacy and data protection; as former minister of Interior, he was responsible for several intelligence agencies, though not for the German military intelligence service "MAD". |
| Similarities: | --- |
Agents | |
| Countermeasures: | 4DETECT detects the Zimmermann-Virus, if you set 'System Supervision' to 'On'; 4DETECT then tells when the trap #1 vector is changed. 4DETECT also supervises suspicious write accesses to boot sectors and program files. |
| Standard means: | Write-protect the disk. |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Thomas Piehl |
| Documentation by: | Thomas Piehl |
| Date: | July 30, 1989 |
| Information Source: | --- |
(c) 1996 Virus-Test-Center, University of Hamburg