erd@tut.cis.ohio-state.edu (Ethan R. Dicks) (04/03/89)
I have just recieved a copy of the Lamer Exterminator virus and have dissassembled it. It looks as though it will take be the better part of me free time for the week to figure it out. To this end, I am asking the people out there in net.land to send in reports of the behavior of this virus (if you have seen it) to get a picture of what this thing is trying to do. What I know now is: o It is mostly encoded. o The encoded part contains two text strings: "trackdisk.device" "Lamer Exterminator!!!" o It calls SumKickData, AllocMem, WaitIO and Remove o It allocates 1k of memory of type (MEMF_CHIP | MEMF_CLEAR) o It uses the DeviceList of ExecBase and calls FindName to locate the trackdisk.device process o It executes additional code to deal with having KickTagPtr, CoolCapture, or ColdCapture non-zero. o It modifies the KickTagPtr It looks like the start of a new generation of virus: it is fast RAM compatible (unlike the ByteBandit) and it co-exists with other code which survives re-boots (ramdrive.device, for example) I hope to have a report of its effects and weaknesses by next week. -ethan -- Ethan R. Dicks | ###### This signifies that the poster is a member in Software Results Corp| ## good sitting of Inertia House: Bodies at rest. 940 Freeway Drive N. | ## Columbus OH 43229 | ###### "You get it, you're closer.
Doug_B_Erdely@cup.portal.com (04/04/89)
Hate to tell you this Ethan, but Steve Tibbet has already figured this virus
out. In fact, it is one of the many viruses that Virus X3.2 checks for and
does away with.
- Doug -
Doug_B_Erdely@Portal.Cup.Comcosell@bbn.com (Bernie Cosell) (04/04/89)
In article <16647@cup.portal.com> Doug_B_Erdely@cup.portal.com writes: }Hate to tell you this Ethan, but Steve Tibbet has already figured this virus }out. In fact, it is one of the many viruses that Virus X3.2 checks for and }does away with. } How does the numbering work here. I'm running VirusX 3.10 and its little window doesn't seem to list that virus [unless it has some funny name]. I assume that 3.10 is more recent than 3.2, no? __ / ) Bernie Cosell /--< _ __ __ o _ BBN Sys & Tech, Cambridge, MA 02238 /___/_(<_/ (_/) )_(_(<_ cosell@bbn.com
erd@tut.cis.ohio-state.edu (Ethan R. Dicks) (04/04/89)
In article <16647@cup.portal.com> Doug_B_Erdely@cup.portal.com writes: >Hate to tell you this Ethan, but Steve Tibbet has already figured this virus >out. In fact, it is one of the many viruses that Virus X3.2 checks for and >does away with. > > - Doug - > > Doug_B_Erdely@Portal.Cup.Com OK... so where is VirusX 3.2? Since I do NOT like feeding the phone company (any of them) I do not dial up bulletin boards. I get my software via ftp, comp.amiga.binaries/sources, and from the prolific Mr. Fred Fish. If it has been sent to Bob Page, I will understand; he has his hands full right now, getting settled in. If it has not, why hasn't it? The reason I decided to dissect the virus is because I have seen writeups in lots of Amiga magazines regarding the SCA and Byte Bandit viruses, but almost nothing on any others. If anyone is tearing the others apart, they are not doing a good job of disseminating the information gained from the exercise. I am not suprised that VirusX 3.2 checks for the Lamer Exterminator. Steve does an excellent job keeping up with the latest crud. What I have not seen are explanations of the symptoms and the effects of *all* the viruses. I write articles for the local newsletter, informing the Central Ohio Amiga Users (through AmIcon) of the effects of viruses, so that they might identify them earlier, if infected. Only a handful of our group has access to comp.sys.amiga, and some of them only have read access (due to the policies of their employers) One of the things I put into my articles is a list of symptoms indicating infection by a particular virus. Another thing I put in the articles is the list of back-doors, such as the left mouse button for the SCA virus, or the keypress trick for the ByteBandit. Sorry to be long winded, but I felt the need to carve up this beastie because I did not have access to information on this particular virus. -ethan -- Ethan R. Dicks | ###### This signifies that the poster is a member in Software Results Corp| ## good sitting of Inertia House: Bodies at rest. 940 Freeway Drive N. | ## Columbus OH 43229 | ###### "You get it, you're closer."
page%rishathra@Sun.COM (Bob Page) (04/05/89)
Ethan R. Dicks <erd@cis.ohio-state.edu> wrote:
>If it has been sent to Bob Page, I will understand; he has his hands full
I do not have it.
c.s.a/c.b.a postings should re-start this week, sorry about the delay.
I do not have a 'flood' of stuff to post.
..bob
Bob Page page@sun.com sun!page 415/336-2745dooley@helios.toronto.edu (Kevin Dooley) (04/05/89)
In article <41582@tut.cis.ohio-state.edu> Ethan R. Dicks <erd@cis.ohio-state.edu> writes: >Sorry to be long winded, but I felt the need to carve up this beastie >because I did not have access to information on this particular virus. I think that there is a definite need not only for virus smashers but also for a wide circulation of all that is known about new virus strains such as this one. Note that I am not asking for a "How to write a virus" book, I am asking for a solid case book of symptoms, side effects, back doors and any other useful information for potential victims. If you have such information, Ethan, please post it to this form. -- Kevin Dooley UUCP - {uunet,pyramid}!utai!helios.physics!dooley Physics Dept. BITNET - dooley@utorphys U. of Toronto INTERNET - dooley@helios.physics.utoronto.ca
Doug_B_Erdely@cup.portal.com (04/07/89)
No. 3.2 is *THE* newest version out! 3.1 was the previous version.
- Doug -
Doug_B_Erdely@Portal.Cup.Com