VMAGIC Virus (31-July-1993) Entry...............: VMAGIC Virus Aliases.............: --- Virus detected when.: 1993 where.: Publication of C-Code Classification......: Program virus, COFF infector only Length of Virus.....: 1a.Length pure code: 158 Bytes (effective length may depend on operating system and C compiler version/optimization) 1b.Length Maincode (incl. header): 798 Bytes 2. Length Search program "searcher": 43832 Bytes 3. Length Infect program "infect": 51032 Bytes 4. Length Script Infect1: 1428 Bytes 5. Length Script Infect2: 18 Bytes --------------------- Preconditions ------------------------------------ Operating System(s).: UNIX Version/Release.....: --- Computer model(s)...: All, but virus code must be modified for INTEL Processors --------------------- Attributes --------------------------------------- Easy Identification.: --- Type of infection...: 1) Infected file = Maincode is merged into text area of host program. 2) Mechanism: Starting an infected file will call an external program "searcher" to find un- infected executable files for infection. Such a filename is passed as an argument to the external program "infect" which will call two scripts with link commands (infect1, infect2) both combined as "linker script" to merge target file with virus' main code. Self Identification.: The string "0x75E0" will be found in the Auxiliary File Header Version Stamp; this is the value associated to external variable VMAGIC. Infection Trigger...: Execution of an infected file, when last infection is older than 24 hours. Storage media affected: All directories with write access. Damage..............: No intentional permanent/transient damage found. (Not tested for side effects) Particularities.....: 1) The virus runs only on one host. It does NOT distribute itself over networks. 2) Virus creates a file "searcher" in a hidden directory "/usr/.hidden". "searcher" looks for executable files to be infected and executes "infect". 3) To "install" the virus on one host, it is neccessary to have virus main code, search program, infect program and linker script. The infect program can be placed anywhere. 4) Virus creates a temporary lockfile "..." in directory "/tmp". The date of last infection is stored in this file. 5) The virus as published will run on System V.2 on 68000 (Mac etc) only; these systems have 3 segments (.text, .data, .bss). Other versions and hardware platforms need more (specialised) segments not specified in published virus. Infectivity.........: As this virus can infect only COFF files (files including debug information) which are mainly used for development rather than normal operation (such files are usually stripped of information), the probability of an infection during normal operation is low. --------------------- Agents ------------------------------------------- Countermeasures.....: --- --------------------- Acknowledgement ---------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Andreas Mueller, Wolfram Schmidt Documentation by....: Andreas Mueller, Wolfram Schmidt Date................: 31-July-1993 Information source..: Analysis of virus code (published in C) .