Amoeba Virus (25-July-1992) Entry...............: (Maltese) Amoeba Virus Standard CARO name..: Amoeba Alias(es)...........: Family-N, Irish, Grain of Sand Virus Virus Strain........: --- Virus detected when.: UK where.: November 1st, 1991 (upon first triggered damage) Classification......: Program (COM,EXE) infector, variable encryption, memory resident Length of Virus.....: 1) Length on media: 2 kByte 2) Length in memory: 2 kByte --------------------- Preconditions ---------------------------------- Operating System(s).: MS-DOS Version/Release.....: 2.xx upward Computer model(s)...: IBM - PCs, XT, AT, upward and compatibles --------------------- Attributes ------------------------------------- Easy Identification.: 1) Enlarged file size: using DIR, compare actual file size with original file size. 2) Reduction of available memory by 2k Bytes, using CHKDSK. 3) Unencrypted text (AMOEBA) in partition sector. Type of infection...: Upon executing an infected file, the virus makes itself memory resident in highest available 2 kByte. Thereafter, upon reading or executing a non-infected file this will be infected. Self-identification: Virus inspects memory (using a Set Date call with invalid date) whether it is in memory; moreover, it checks whether some antivirus programs (Ross Greenberg's FluShot+ or Virex-PC) or PSQR virus are in memory. If any of these are found, virus does not infect any program. There are unconfirmed reports that this virus checks and deactivates Murphy virus. Infection Trigger...: Any DOS read or load/execute operation. Media affected......: Any hard disk and floppy disk. Interrupts hooked...: INT 24 Crypto method.......: Decryption uses variations of several patterns of instructions, differing for COM and EXE files. Polymorphic method..: --- Damage..............: Permanent damage: upon trigger condition, it will overwrite low tracks of a hard disk and any diskette, accompanied by a flashing display, and subsequently hang-up the system. In the overwritten partition sector, the following encrypted text (from Pickering Manuscripts: Blake's Auguries of Innocence, first 4 lines) can be found: "To see a world in grain of sand And a heaven in wild flower, Hold infinity in the palm of your hand And eternity in a hour." The Virus 16/3/91 When an infected system is booted, this text is displayed and the system hangs. Moreover, partition sector contains also un- encrypted texts: "AMOEBA", and the message that University of Malta "destroyed 5X2 years of human life". Transient damage: --- Damage Trigger......: November 1st and March 15th, any year. Similarities........: En/Decryption method similar to V2PX. Particularities.....: 1) Virus replaces critical error handler INT 24; if virus tries to infect a write-protected diskette, the prompt "Abort, Retry, Fail" is suppressed. 2) There is speculation that the uncrypted text may be related to an unhappy fate of 2 students of University of Malta, having left after 5 years. --------------------- Agents ----------------------------------------- Countermeasures.....: McAfee Scan, Skulason F-PROT, Solomon FINDVIRU and some others Standard means......: Boot from clean system and delete infected files. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Klaus Brunnstein Documentation by....: Virus Bulletin (Dec.91), Stiller's Virus Report (see: Virus-L Vol.5 Issue 30: Feb.14, 1992) Date................: 15-February-1992 .