home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Crawly Crypt Collection 1
/
crawlyvol1.bin
/
utility
/
virus
/
atarivir
/
atarivir.789
< prev
next >
Wrap
Text File
|
1986-02-04
|
18KB
|
321 lines
========================================================================
== Computer Virus Catalog ==
========================================================================
== Status: July 31, 1989 (Version 1.2) ==
== Classified: 9 MSDOS-Viruses (MSDOSVIR.789) ==
== 16 AMIGA-Viruses (AMIGAVIR.789) ==
== 5 Atari-Viruses (ATARIVIR.789: this document) ==
========================================================================
= This document contains the classifications of the following viruses: =
== ==
== 1) c't Virus ==
== 2) Emil 1A Virus = "Virus 1A" ==
== 3) Emil 2A Virus = "Virus 2A" ==
== 4) Mouse (Inverter) Virus ==
== 5) Zimmermann-Virus ==
========================================================================
== Editor: Virus Test Center, Faculty for Informatics ==
== University of Hamburg ==
== Schlueterstr. 70, D2000 Hamburg 13, FR Germany ==
== Prof. Dr. Klaus Brunnstein, Simone Fischer-Huebner ==
== Tel: (040) 4123-4158 (KB), -4715 (SFH), -4162(Secr.) ==
== Email (EAN/BITNET): Brunnstein@RZ.Informatik.Uni-Hamburg.dbp.de ==
========================================================================
== Critical and constructive comments as well as additions are ==
== appreciated. Especially, descriptions of recently detected viruses =
== will be of general interest. To receive the Virus Catalog Format, ==
== please contact the above address. ==
========================================================================
===== Computer Virus Catalog 1.2: c't-Virus (July 30, 1989) ============
Entry...............: c't Virus
Alias(es)...........: ---
Virus Strain........: ---
Virus detected when.: ---
where.: ---
Classification......: System (=BootSector) Virus, Reset-resident.
Length of Virus.....: 512 Byte
--------------------- Preconditions ------------------------------------
Operating System(s).: ATARI-TOS
Version/Release.....: 1.0 (06.02.86), 1.2 (TOS 1.4 not tested)
Computer model(s)...: All types of the Atari ST Series
--------------------- Attributes ---------------------------------------
Identification......: ---
Type of infection...: The virus tests two longwords near the top of the
available memory at locations (memtop)-$200 and
(memtop)-$200+$A.
The first longword is checked for $12123456, the
second one for $07A31CDF. If one of these doesnot
match, the virus is installed.
The virus is reset-resident.
1st: Virus is copied to a new location in memory;
2nd: Virus's age is increased by 1.
Infection Trigger...: Each time a diskette is changed, the new one
will be infected.
Storage media affected: Infects only diskettes. Damages Hard disks.
Interrupts hooked...: No interupts used.hdv_bpb and hdv_mediach vectors
are changed for installation in the system.
Damage..............: Transient/Permanent damage:
A damage can occur only if a harddisk is connected
to the system. Because of an error in the virus,
the partition information will be destroyed, if
the virus tries to write to the harddisk.
Otherwise, the following message is displayed on
the screen after every 20th infection:
"ARRRGGGHHH Diskvirus hat wieder zugeschlagen"
Damage Trigger......: Value of infection counter: every 20th infection.
Particularities.....: ---
Similarities........: ---
--------------------- Agents -------------------------------------------
Countermeasures.....: Programs that calculate the checksum and change
it, if it is $1234; the sector is then regarded as
not executable. (Category 1.3)
Countermeasures successful: ---
Standard means......: Write-protect the disk. Write a well-known program
to the boot sector; 'manually' change the check-
sum to a value other than $1234 .
--------------------- Acknowledgement ----------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...:
Documentation by....: Michael Gaudlitz
Translated by.......: Bert K④hler
Date................: July 30, 1989
Information Source..: c't (Computer Magazine)
===================== End of c't Virus =================================
===== Computer Virus Catalog 1.2: Emil 1A Virus (July 30, 1989) ========
Entry...............: Emil 1A Virus
Alias(es)...........: "Virus 1A"
Virus Strain........: ---
Virus detected when.: 1987?
where.: FR Germany
Classification......: System (Boot Sector) Virus
Length of Virus.....: 512 Byte
--------------------- Preconditions ------------------------------------
Operating System(s).: Atari-TOS
Version/Release.....: 1.0, 1.2 (1.4 not tested)
Computer model(s)...: All types of the Atari ST Series
--------------------- Attributes ---------------------------------------
Easy Identification.: Boot sector will not be infected, if first word
is $6038.
Type of infection...: Infects the boot sector of the disk, if it is
regarded as not infected.
Infection Trigger...: Each time a floppy disk is changed, the new
disk will be infected.
Storage media affected: Floppy disks.
Interrupts hooked...: No interrupts used; diskvector hdv_bpb changed.
Damage..............: Infects the boot sector of the disk, if it is
regarded to be non-infected.
If the memory resident virus finds a fitting
key on a boot sector (first longword = $60381092),
then that sector is loaded and executed, regard-
less of the checksum. (Normally, the checksum
should be $1234 to indicate that this boot sector
is executable).
Damage Trigger......: Keyword ($60381092) in other Boot sectors.
Particularities.....: ---
Similarities........: See Emil 2A Virus.
--------------------- Agents -------------------------------------------
Countermeasures.....: Programs that calculate the checksum and
change it, if it is $1234; then, the sector
is regarded as not executable. The suspicious
(dangerous) second part of the virus might
not be recognized because it does not need
to have the proper checksum (see: Damage).
Countermeasures successful: ---
Standard means......: Write protect the disk.
Write a well-known program to the boot sector;
'manually' change the checksum to a value other
than $1234 .
--------------------- Acknowledgement ----------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Thomas Piehl/ Michael Nagel
Documentation by....: Bert K④hler
Translated by.......: Bert K④hler/Paul Drake (Racal-Milgo/TEMEX)/
Date................: July 30, 1989
Information Source..: ---
===================== End of Emil 1A Virus =============================
===== Computer Virus Catalog 1.2: Emil 2A Virus (July 30, 1989) ========
Entry...............: Emil 2A Virus
Alias(es)...........: "Virus 2A"
Virus Strain........: ---
Virus detected when.: 1987?
where.: FR Germany
Classification......: System (Boot Sector) Virus
Length of Virus.....: 512 Byte
--------------------- Preconditions ------------------------------------
Operating System(s).: ATARI-TOS
Version/Release.....: 1.0, 1.2 (TOS 1.4 not tested)
Computer model(s)...: All ATARI ST Computer models
--------------------- Attributes ---------------------------------------
Easy Identification.. First byte in infected boot sector is $60.
Type of infection.... Infects the boot sector of a disk, if it is
regarded as not yet infected (value other than
$60 in first byte) and increments a variable.
Infection Trigger...: Every access to non-infected floppy disk.
Storage media affected: Floppy disks.
Interrupts hooked...: No Interrupts used;
hdv_rw vector changed to infect new disks.
Damage............... Permanent Damage: overwrites Boot sectors.
Transient damage: After each 5th infection, the
screen is randomly shifted (upside down) or
inverted, together with a beep.
Damage Trigger......: Random.
Particularities.....: Evidently, this is a "Demo Virus"; but it may
easily be changed to a dangerous one with only
moderate programming experiences.
Similarities........: See Emil 1A Virus.
--------------------- Agents -------------------------------------------
Countermeasures.....: Programs that calculate the checksum and change
it, if it is $1234; then, the sector is regarded
as not executable.
Countermeasures successful: ---
Standard means......: Write protect the disk.
Write a well-known program to the boot sector;
'manually' change the checksum to a value other
than $1234.
Reboot the system with a 'clean' disk.
--------------------- Acknowledgement ----------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Ralf Stegen
Documentation by....: Ralf Stegen
Translation by......: Bert K④hler
Date................: July 30, 1989
Information Source..: ---
===================== End of Emil 2A Virus =============================
== Computer Virus Catalog 1.2: Mouse (Inverter) Virus (July 11, 1989) ==
Entry...............: Mouse (Inverter) Virus
Alias(es)...........: Ghost Virus
Virus Strain........: ---
Virus detected when.: ---
where.: ---
Classification......: System (BootSector) Virus, Overwriting.
Length of Virus.....: 512 Byte
--------------------- Preconditions ------------------------------------
Operating System(s).: ATARI-TOS
Version/Release.....: All Version of TOS
Computer model(s)...: All types of the Atari ST Series
--------------------- Attributes ---------------------------------------
Easy Identification.: ---
Type of infection...: Self-Identification: The Virus tests adress $140
for the first Virus instruction; virus installs
itself reset-resident in RAM and on boot sector,
if virus code does not match.
Infection Trigger...: Each time a new diskette is inserted, the virus
will infect the new diskette.
Storage media affected: The virus infects drives A,B and Harddisk C.
Interrupts hooked...: No Interrupts used.
Resetvector for installation changed.
hdv_bpb changed to infect Bootsector of new Disk.
Damage..............: Permanent Damage: Overwriting Bootsectors.
Transient Damage: Inverting Mouse Up-Down Moving-
direction.
Damage Trigger......: Damage Action after 10 infections. Always after
5 new infections, the Mouse Movingdirection is
again inverted.
Particularities.....: ---
Similarities........: ---
--------------------- Agents -------------------------------------------
Countermeasures.....: Programm that checks hdv_bpb-,Reset-vector if
adress is not lower $400(Exception vectors)
(Category 1.2).
Programs that calculate the checksum and change
it, if it is $1234; the sector is then regarded
as not executable. Reboot the system with a
'clean' disk! (Category 1.3).
Countermeasures successful: Poke instruction 'move.l #$D6,d3' to
adresse $140 (this excludes Virus' installation).
Standard means......: Write protect the disk.
Write a well-known program to the boot sector;
'manually' change the check-sum to a value other
than $1234.
--------------------- Acknowledgement ----------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Thomas Piehl
Documentation by....: Thomas Piehl
Date................: July 11,1989
Information Source..: ---
===================== End of Mouse (Inverter) Virus ====================
===== Computer Virus Catalog 1.2: Zimmermann-Virus (July 30, 1989) =====
Entry...............: Zimmermann-Virus
Alias(es)...........: ---
Virus Strain........: ---
Virus detected when.: 1988?
where.: FR Germany
Classification......: Program Virus (Extending V.)
Length of Virus.....: 1414 Byte
--------------------- Preconditions ------------------------------------
Operating System(s).: ATARI-TOS
Version/Release.....: All versions
Computer model(s)...: All types of the Atari ST Series
--------------------- Attributes ---------------------------------------
Easy Identification.: Infected System: The virus checks if the Trap 1-
vector points to a certain byte-sequence. Infected
programs are recognized by enlargement of the file
length and by typical virus specific code.
Type of infection...: Program virus: the virus code is appended at the
end of the program; the loader table is adjusted.
Infection Trigger...: Every time when a program is executed.
Storage media affected: Floppy disks only.
Interupts hooked....: VBL-Interupt for time control.
Trap #1 to control program start.
Damage..............: Permanent Damage: the virus only infects files
with extensions PRG, TTP and TOS in the current
directory on drives A and B. The program's
startup-time is considerably increased.
Damage Trigger......: ---
Particularities.....: After installation in the system, the virus is
distributed every time a program is started from
disk A or B. Approximately 30 minutes after the
installation, the virus generates a file, 50 bytes
long, with an unusual name consisting of special
characters: "@^#%& .(-: ". The file is read-
only and contains the following text:
";-) As MAD Zimmermann will be watching you )-;"
The characters at the ends of the line can be
regarded as a happy face on the left and a sad
face on the right side; probably kind of ASCII-
comic with political background: F.Zimmermann is
a well-known conservative politician in FRG, and
a strong opponent of privacy and data protection;
as former minister of Interior, he was responsible
for several intelligence agencies, though not for
the German military intelligence service "MAD".
Similarities........: ---
--------------------- Agents -------------------------------------------
Countermeasures.....: The virus can be detected in and removed from
infected files by 'Zimmermann Virusfilter
Program', written by Thomas Piehl (see below).
Countermeasures successful: 4DETECT detects the Zimmermann-Virus, if you
set 'System Supervision' to 'On'; 4DETECT then
tells when the trap #1 vector is changed.
4DETECT also supervises suspicious write accesses
to boot sectors and program files.
Standard means......: Write-protect the disk.
--------------------- Acknowledgement ----------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Thomas Piehl
Documentation by....: Thomas Piehl
Translated by.......: Bert K④hler
Date................: July 30, 1989
Information Source..: ---
===================== End of Zimmermann-Virus ==========================
========================================================================
== End of ATARIVIR.789 document ==
== (380 Lines, 1749 Words, 18k Bytes) ==
========================================================================