| Alias: | BBS Traveller Virus | | Strain: | Ebola Strain | | detected when: | 17.04.1996 | | where: | Germany | | Classification: | Linkvirus,memory-resident, not reset-resident | | Length: | 1. Length on storage medium: 1536 Bytes 2. Length in RAM: 12000 Bytes |
Preconditions | | Operating System(s): | AMIGA-DOS Version/Release: 2.04 and above (V37+) | | Version/Release: | | | Computer model(s): | all models/processors (MC68000-MC68060) | | Caroname: | Ebola.2 |
Attributes | | Easy identification: | none | Type of Infection: | Self-identification method in files: - Searches for $ab1590ef at the end of the first Hunk. (this longword exists in EBOLA-I virus) - Searches for $24121996 at the end of the first hunk (selfrecognition) - Searches for $1080402 at the end of the first hunk (this is the recognition of the Strange Atmosphere linkvirus) Self-identification method in memory: Searches for $3D385E29 at offset -6 from the Dos LoadSeg() function. If $1020304 will be found at this position, the destruction counter will be manipulated (somekind of test for the programmer of this virus ?) System infection: - non RAM resident, infects the following functions: Dos LoadSeg(), Dos ReadARGS(), Exec Findname(), Exec Findtask, Exec SetFunktion() and Exec Addport() Infection preconditions: - File to be infected is bigger then 2600 bytes and smaller then 290000 bytes - Device must have more than 6000 sectors - First hunk contains a $4eaexxxx command in the 16 bit range to the end of the file (test for the first entry) - the file is not already infected (the at long of the end of the hunk) - HUNK_HEADER and HUNK_CODE are found | | Infection Technique: | | | Infection Trigger: | Accessing files via LoadSeg() Files starting with "v","V","." or "-" will be NOT infected. | | Storage Media affected: | all DOS-devices | | Interrupts hooked: | None | | Stealth: | | | Tunneling/Selfprot: | | | Oligo/Polymorphism: | | | Encoding Method: | | | Damage: | Permanent damage: - Formatting the drive Transient damage: - none | | Damage Trigger: | Permanent damage: - Formatting the drive, when an internal counter reaches 5000. Transient damage: - None | | Particularities: | The crypt/decrypt routines are partly aware of processor caches. The cryptroutine are non polymorphic and only consists of some logical methods. The virus uses some simple retro technics to stop viruskillers searching for itself. | | Similarities: | Link-method is comparable to the method invented with the infiltrator-virus. Damage routine is taken from the Strange Atmosphere linkvirus. The virus is a typical mixture from the EBOLA and the Strange Atmosphere linkviruses. We think that all 3 ones come from the same programmer, probably in the east or north of Germany. |
Agents | | Countermeasures: | All of the above | | Standard means: | - |
Acknowledgements | | Location: | (C) Markus Schmall, Hannover, Germany | | Classification by: | Markus Schmall and Heiner Schneegold | | Documentation by: | Markus Schmall | | Date: | April,19. 1996 | | Information Source: | Reverse engineering of original virus |
Complete Internet security protection with anti-virus, anti-spyware, anti-phishing, anti-spam and anti-hacker technologies. Plus parental controls and virtual keyboard perfect for home or small office. Functionality of the Internet Security 2009 Hourly updates and fastest response times ensure you benefit from the industry's most up-to-date protection. New- Advanced anti-virus engine delivers the industry's fastest scan times (Passmark Security, June 2007). Saves time and improves performance. New - Configuration and privacy tools are designed to help you protect yourself. Intrusion Protection System and 2-way firewall protect you from hackers; protect your privacy. Protects you from the phishing and malware sites that you wouldn't otherwise know were attempting to steal from you. Parental controls filter, block, or report inappropriate content. Limit Internet time to hours and amounts that you set. Kaspersky Security Network allows your computer to report when it discovers a threat that hasn't been seen before. All 250 million Kaspersky users benefit from our combined knowledge! Tags: Kaspersky Internet Security 2009, Free Kaspersky Internet Security 2009 Download, internet security, antivirus software, antispyware software, personal firewall, antispam
|