Entry...............: Strange Atmosphere Alias(es)...........: SA Virus Virus Strain........: - Virus detected when.: 2/1996 where.: Germany Classification......: Link virus, memory-resident Length of Virus.....: 1. Length on storage medium: 1232 Bytes 2. Length in RAM: $2710 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: AMIGA-DOS Version/Release.....: 2.04 and above (V37+) Computer model(s)...: all models/processors (MC68000-MC68060) Caches may cause problems during the decoding process --------------------- Attributes --------------------------------------- Easy Identification.: None Type of infection...: Linkvirus Self-identification method in files: - Searches for $1080402 at the end of the first codehunk Self-identification method in memory: - Checks for $3d385e29 at position -6 of the LoadSeg() adress System infection: - RAM resident, infects the LoadSeg() DOS function - DoIO() exec function and Coolcapture will be infected only under special conditions Infection preconditions: - File to be infected is bigger then $a28 bytes - The file is not already infected - HUNK_HEADER and HUNK_CODE are found - HUNK_HEADER structure is valid - There must be 4 free blocks on the disc - File is shorter than 290000 bytes - The lenght of the first hunk must be exactly the same as written in the hunkheader structure Infection Trigger...: Accessing the file Storage media affected: all DOS-devices Interrupts hooked...: None Damage..............: Permanent damage: - Files will be trashed (depends on the Rasterbeam) Devices will be overwritten (depends on the Rasterbeam) Transient damage: - System gets locked while reset and a new copperlist will be shown. This copperlist then shows you the german flag. Damage Trigger......: Permanent damage: - Internal counter Transient damage: - Internal counter Particularities.....: The crypt/decrypt routines are not aware of processor caches. The installer code in several files is working correct with higher processors. The linkcode checks for correct length of the first hunk to remove problems with extra ordinary packers. Similarities........: Link-method in the executable files is the simple "link behind the first hunk" method without any special tricks. Stealth.............: The viruses uses normal dos commands (no tunneling via packets) and normal DOS call watchers like SnoopDos can proof the infection behavior. There are no stealth routines build in. Armouring...........: The virus is only one armouring technique to protect it`s code. It uses a normal crypt routine to hide the viral structures. Heuristik checkers like the one in VirusWorkshop can find the dangerous parts and VW gives you the rating "Virus!". Name................: In the crypted part there is the following string: '-+* Strange Atmosphere [gOOd] *+-' If the internal counter reaches 50, the word "gOOd" will be replaced by "eVIL" and the destructive code will be activated. --------------------- Agents ------------------------------------------- Countermeasures.....: VT 2.81, VW6.0 Countermeasures successful: All of the above Standard means......: - --------------------- Acknowledgement ---------------------------------- Location............: Hannover, Germany 04.03.1996. Classification by...: Markus Schmall and Heiner Schneegold Documentation by....: Markus Schmall Date................: March 1996 Information Source..: Reverse engineering of original virus Copyright...........: Markus Schmall Special note........: Virus Test Center Hamburg and Virus Help Team DK are strictly allowed to use this analyse in their own productions. All other groups/institutions may please contact me first. ===================== End of Strange Atmosphere Virus ============================