| Alias: | --- |
| Strain: | |
| detected when: | 1993 |
| where: | Publication of C-Code |
| Classification: | Program virus, COFF infector only |
| Length: | 1a.Length pure code: 158 Bytes (effective length may depend on operating system and C compiler version/optimization) 1b.Length Maincode (incl. header): 798 Bytes 2. Length Search program "searcher": 43832 Bytes 3. Length Infect program "infect": 51032 Bytes 4. Length Script Infect1: 1428 Bytes 5. Length Script Infect2: 18 Bytes |
Preconditions | |
| Operating System(s): | UNIX |
| Version/Release: | --- |
| Computer model(s): | All, but virus code must be modified for INTEL Processors |
| Caroname: | VMagic |
Attributes | |
| Easy identification: | --- |
Type of Infection: | 1) Infected file = Maincode is merged into text area of host program. 2) Mechanism: Starting an infected file will call an external program "searcher" to find un- infected executable files for infection. Such a filename is passed as an argument to the external program "infect" which will call two scripts with link commands (infect1, infect2) both combined as "linker script" to merge target file with virus' main code. Self_Identification.: The strin "0x75E0" will be found in the Auxiliary File Header Version Stamp; this is the value associated to external variable VMAGIC. |
| Infection Technique: | |
| Infection Trigger: | Execution of an infected file, when last infection is older than 24 hours. |
| Storage Media affected: | |
| Interrupts hooked: | |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | No intentional permanent/transient damage found. (Not tested for side effects) |
| Damage Trigger: | |
| Particularities: | 1) The virus runs only on one host. It does NOT distribute itself over networks. 2) Virus creates a file "searcher" in a hidden directory "/usr/.hidden". "searcher" looks for executable files to be infected and executes "infect". 3) To "install" the virus on one host, it is neccessary to have virus main code, search program, infect program and linker script. The infect program can be placed anywhere. 4) Virus creates a temporary lockfile "..." in directory "/tmp". The date of last infection is stored in this file. 5) The virus as published will run on System V.2 on 68000 (Mac etc) only; these systems have 3 segments (.text, .data, .bss). Other versions and hardware platforms need more (specialised) segments not specified in published virus. Infectivity.: As this virus can infect only COFF files (files including debug information which are mainly used for development rather than normal operation (such files are usually stripped of information), the probability of an infection during normal operation is low. |
| Similarities: | |
Agents | |
| Countermeasures: | --- |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, Germany |
| Classification by: | Andreas Mueller, Wolfram Schmidt |
| Documentation by: | Andreas Mueller, Wolfram Schmidt |
| Date: | 31-July-1993 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg