| Alias: | Family-N, Irish, Grain of Sand Virus |
| Strain: | |
| detected when: | UK |
| where: | November 1st, 1991 (upon first triggered damage) |
| Classification: | Program (COM,EXE) infector, variable encryption, memory resi |
| Length: | 1) Length on media: 2 kByte 2) Length in memory: 2 kByte |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | 2.xx upward |
| Computer model(s): | IBM - PCs, XT, AT, upward and compatibles |
| Caroname: | Maltese_Amoeba |
Attributes | |
| Easy identification: | 1) Enlarged file size: using DIR, compare actual file size with original file size. 2) Reduction of available memory by 2k Bytes, using CHKDSK. 3) Unencrypted text (AMOEBA) in partition sector. |
Type of Infection: | Upon executing an infected file, the virus makes itself memory resident in highest available 2 kByte. Thereafter, upon reading or executing a non-infected file this will be infected. Self-identification: Virus inspects memory (using a Set Date call with invalid date) whether it is in memory; moreover, it checks whether some antivirus programs (Ross Greenberg's FluShot+ or Virex-PC) or PSQR virus are in memory. If any of these are found, virus does not infect any program. There are unconfirmed reports that this virus checks and deactivates Murphy virus. |
| Infection Technique: | |
| Infection Trigger: | Any DOS read or load/execute operation. |
| Storage Media affected: | Any hard disk and floppy disk. |
| Interrupts hooked: | INT 24 |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | --- |
| Encoding Method: | Decryption uses variations of several patterns of instructions, differing for COM and EXE files. |
| Damage: | Permanent damage: upon trigger condition, it will overwrite low tracks of a hard disk and any diskette, accompanied by a flashing display, and subsequently hang-up the system. In the overwritten partition sector, the following encrypted text (from Pickering Manuscripts: Blake's Auguries of Innocence, first 4 lines) can be found: "To see a world in grain of sand And a heaven in wild flower, Hold infinity in the palm of your hand And eternity in a hour." The Virus 16/3/91 When an infected system is booted, this text is displayed and the system hangs. Moreover, partition sector contains also un- encrypted texts: "AMOEBA", and the message that University of Malta "destroyed 5X2 years of human life". Transient damage: --- |
| Damage Trigger: | November 1st and March 15th, any year. |
| Particularities: | 1) Virus replaces critical error handler INT 24; if virus tries to infect a write-protected diskette, the prompt "Abort, Retry, Fail" is suppressed. 2) There is speculation that the uncrypted text may be related to an unhappy fate of 2 students of University of Malta, having left after 5 years. |
| Similarities: | En/Decryption method similar to V2PX. |
Agents | |
| Countermeasures: | McAfee Scan, Skulason F-PROT, Solomon FINDVIRU and some others |
| Standard means: | Boot from clean system and delete infected files. |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, Germany |
| Classification by: | Klaus Brunnstein |
| Documentation by: | Virus Bulletin (Dec.91), Stiller's Virus Report (see: Virus- |
| Date: | 15-February-1992 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg