home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
AmigActive 19
/
AACD19.BIN
/
AACD
/
System
/
Safe14.9
/
Analyze
/
Expl0de.analyze
Wrap
Text File
|
2001-02-03
|
4KB
|
104 lines
Entry...............: Expl0de Virus
Alias(es)...........: VaginitisClone
Virus Strain........: none
Virus detected when.: 1.2001
where.: New Zealand
Classification......: System/Linkvirus, memory-resident, not reset-resident
Length of Virus.....: 1. Length on storage medium: ca 730 Bytes
2. Length in RAM: 2048 Bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS Version/Release..: 2.04 and above (V37+)
Computer model(s)...: all models/processors (MC68000-MC68060)
--------------------- Attributes ---------------------------------------
Easy Identification.: none
Type of infection...: Self-identification method in files:
- none (the virus infects only C:mount)
Self-identification method in memory:
- checks for $60ea at LoadSeg patch offset -2
System infection:
- infects the following function:
Dos LoadSeg()
Infection preconditions:
- Hunk Code is found
- File is not infected already (double
infections are impossible)
- device is validated
- device contains free blocks
Infection Trigger...: Direct accessing C:mount
Storage media affected:
C:
Interrupts hooked...: None
Damage..............: Permanent damage:
- none
Transient damage:
- none
Damage Trigger......: Permanent damage:
- none
Transient damage:
- none
Particularities.....: (Installer is currently unknown.)
Installer infects only one file - C:mount,
the code of Vaginitis/Fungus virus is used
here only to implement TCP: new shell
opener to system.
The virus performs:
run >nil: newshell TCP:9876
Similarities........: Link-method is first hunk increasing.
Last RTS will be rewritten with nop.
Whole code is 95% equal to Fungus/Vaginitis
viruses.
Stealth.............: Only one file is infected.
One of the additional files is file called
c:f which is small lame coded patcher for
dos/Write prepared to prevent writing files that
contain string '.987'. This is to hide
existence of the secret shell in TCP:,
also may damage some files with this string.
Armouring...........: very simply eor crypter with static key $1337
Comments............: The virus contains string 'expl0de!'.
The virus probably appeared with some other support
stuff that will be analyzed if we get it.
Author of this virus in love with
the longword $DEADF00D.
--------------------- Agents -------------------------------------------
Countermeasures.....: -
above Standard means......: -
--------------------- Acknowledgement ----------------------------------
Location............: Pawlowice, Poland 25.1.2001
Classification by...: Zbigniew Trzcionkowski
Documentation by....: Zbigniew Trzcionkowski
Date................: 25.1.2001
Information Source..: Virus disassembly
Copyright...........: This documentation is public domain
===================== End of Expl0de virus =============================
