Name : Polyzygotronifikator Aliases : No Aliases Type/Size : Link/1236 +/- ca.300 bytes (? VARIES!!!!) Clones : No Clones Symptoms : No Symptoms Discovered : 03-08-94 Way to infect: Link infection Rating : Less Dangerous Kickstarts : 2.0 and higher Damage : Some file can be defective. Removal : Use good Viruskiller. Comments : Here it is...... the first REAL POLYMORPHING linkvirus for the AMIGA. The Polyzygotronifikator Virus is a tricky virus and well coded. It crypts the whole virus and the location of decrypt routine varies, the byte lenght of the virus varies and the decrypt registers always varies. The virus patches the LoadSeg()-Vector from the dos.- library so it can infect all executed files. But only if this link-conditions are met: - In filename NO "." and NO "-" That means NO infection of libraries and Handlers - Only HD will be infected NO Disks. (Test of 8000 blocks) - 10 blocks free. - File Executable. - Device validated. The virus loads an executed file and searches for a special assembler-command from the beginning of file. FOR ASSEMBLERS: Move.l 4,a6 or Move.l 4.w,a6). This command will be replaced by another assembler command which will FIRST jumps to the virus and then back to the normal programm. (For assemblers: BSR.L) This is a new method of link-infection. The whole virus is crypted depending of DFF006. The virus can`t be linked twice on the same file because it tests for $1994 at the end of the first hunk. The memory self-check will be done with the longword "1994". It`s very difficult to indentify this virus. You have a little chance by checking the last word of every 1st CODE-HUNK for $1994. This virus was probably done by a very professional assembler-coder (?!?!). I infected 3 SAME files (CLS) and the result was: Cls Normal = 148 bytes Cls Infected = 1434 bytes Cls again Infected = 1430 bytes Cls and again infected = 1420 bytes As you can see the lenght of the virus varies every time. And the decrunch routine changes every time. An example (For Assember-FEAKS): First: Movem.l d0-d7/a0-a6,-(a7) bra.s _1 *BETWEEN here 16 bytes GABRAGE _1: lea virus(pc),a1 bra.s _2 *BETWEEN here 8 bytes GABRAGE _2: move.l #XXX,d0 *BETWEEN here 20 bytes GABRAGE . . . After another infection the same area again: Movem.l d0-d7/a0-a6,-(a7) bra.s _1 *BETWEEN here 8 bytes GABRAGE _1: lea virus(pc),a5 bra.s _2 *BETWEEN here 16 bytes GABRAGE _2: move.l #XXX,d2 *BETWEEN here 32 bytes GABRAGE . . . And so on and so on ..... As you can see NOT only the distance between the different commands varies the register numbers, too. In the decoded virus you can read: "Don`t think about it! You`re simply infected" "with the Polyzygotronifikator... (Polymorphing version)" A.D 08-94