home *** CD-ROM | disk | FTP | other *** search
- Name : Byte Bandit
-
- Aliases : Byte Bandit 1, Byte Bandit 2
-
- Type/Size : Boot/1024
-
- Clone : A lot of clones is made see later!!
-
- Symptoms : No Symptoms
-
- Discovered : 11-12-87
-
- Way to infect: Boot infection
-
- Rating : Less Dangerous
-
- Kickstarts : 1.2/1.3
-
- Damage : Overwrites boot.
-
- Removal : Install boot.
-
- Comments : This is the main entrance to all viruses in the
- family of the "Byte Bandit".
-
- The generic behavior of all of them is that they have
- an alert programmed in the bootblock, but not always
- shown. Furtermore they have a counter embedded in the
- bootblock which will interrupt the system function
- when this counter has been increased to a number of
- enumeratings, depending on success to infect other
- disks.
-
-
- The Byte Bandit original virus uses the kick-vectors
- to stay resident in memory. The virus uses the
- BeginIO()-Vector from the trackdisk.dev. to infect
- other disks. Additionally the virus patches the
- Autointerrupt 5 to stop after 7 minutes the Amiga. By
- minutes the Amiga. By pressing the L-ALT, L-AMIGA,
- SPACE, R-AMIGA, R-ALT keys the virus will deinstall
- this blockade. In the original Byte Bandit Bootblock
- you can always read:
-
- Virus by Byte Bandit in 9.87. number of copies:
-
-
-
- Some subspecies are edited as clumsy that they only
- will break the system down and not show a funny
- picture or an animation. Generally you can bohold one
- of the good copies to show your fellows, IF,- and
- ONLY IF, you after your demonstration turn the main
- power off for at least one minute. Then boot with
- your usual SYStem diskette.
-
- If you have an automounting or autobooting harddisk,
- then DON'T DO THAT.
-
-
-
- Clones Byte Bandit 1, Byte Bandit 2, Byte Bandit Clone,
- ByteBanditError, ByteBanditPlus, Amiga Freak Virus,
- Forpib, Morbid Angel, No bandit anymore, Powerbomb,
- Inger IQ, Riska , Frity, Zaccess V2.0, Xeroxx, OP1,
- Charlie Brown, Hireling Protector V1.0, Rude.Xeroxx,
- SCA, SCA-2001, SCA-AIDS, SCA-Kefrens, SCA-Paratax,
- SCArface, BS1!, ASYLANT, North Star I & II, VIPHS,
- ICE SCA, Kefrens, Kefrens 2, LSD!, LamerBlame!,
- Starfire/Northstar, Art Byte Bandit, ByteBanditPlus,
- MAD, Mad I, Rude Xerox, MAD II, MAD IIa, MAD III,
- H.C.S., Noname 1, Riska, Saddam Hussein, VKill 1.0,
- ASV, Big Boss, Mexx, No head, No name 1, Revenge 1.2G,
- BlackStar, ASS-Virus, A.S.S. 1.0, Alien New Beat,
- Diskguard 1.0, Saddam Hussein Boot virus, BlowJob,
- Ripper, JOSHUA 1, Blade Runners, Wahnfried, Hauke Jean
- Marc.
-
- The following are leading to the next generation of
- viruses and are therefore cathegorized otherways.
-
- PowerTeam,
- System Z Antivirus virus up to V6.5, TELSTAR, OPAPA,
- Sendarian, Revenge, Revenge Boot Loader,
-
- Those have the graphics routine displaced with other
- routines so look especially in their entrances.
-
-
-
- Size The Byte Bandit is like most boot viruses, 1024 bytes
- (two blocks, 0,1)
-
- The Virus killer programmers are often forced to
- distinguish between every byte and therefore they
- have often points out very little differences within
- a range of e.g. 180 Bytes.
-
- This is not a problem concerning users, us for
- instance, so therefore, We will skate, lightly over
- that.
-
-
- Symptoms Does conceivable allocate a senseless amount of memory
- so that greater programs will not run. Some copies
- generates some sound on the speakers and turns the
- screen blue, red or yellow by hot reboot.
- Some versions prevents in other way virus infected
- diskettes with all known viruses (oct. 91) to be
- bootable until a cold reboot.
-
-
-
- Kickstarts Until last versions of 1.3 detected. PowerTeam can
- infect System 2.x too. This means that it is not
- interpendent to cooperate with trackdisk.device and
- therefore possibly can infect autobooting harddisks.
- (In contrast, you have to distinguish some of the last
- versions which you must cathegorize in other families.
- Boot loaders, socalled).
-
-
-
- Damage Does conceivable damage open files when a reboot is
- required, some late versions can possibly damage disks
- (Refer the OPAPA virus e.g.)
-
-
-
- Manifestation Pops up a blank screen, possibly with some varying
- text ( hence all the names ).
-
- Some versions opens a Window for requests as its
- initial manifestation.
-
- Typically it has a counter in the boot-block which
- establishes a delay for activation of the graphic
- routine generating the disparant colours.
-
- (maybe more generally: Programming the custom chips
- sometimes in a slushy way. E.g. after 2 resets or 6
- diskchanges or a number of 250000 microticks reached.
- Approximately seven minutes ).
-
- The variety of OPAPA makes the drive engine stepping
- and can this way damage the disk by scratching its
- surface.
- In this version at text will be shown:
-
- I'M THE OPAPA-VIRUS!
-
- READY
- STEADY
- FORMAT!
-
- Though it doesn't format at all, it will be scaring
- and the disk can be scratched and in this way
- unusable.
-
- The last versions of SystemZ and Telstar are in
- conjunction with Revenge Bootloader and Sendarian
- pointing out the future with more dangerous and
- sophisticated viruses.
- E.g. the Telstar virus writes:
-
- " Warning: Disk contains a Virus! "
- "Use install or another program to remove "
- "the virus "
-
- !- And remember,- the virus lies resident!
-
-
-
- Removal Reinstall the diskette. Turn off the power from the
- machine for at least 60 seconds. Controll ALL your
- diskettes with the antivirus programmes on your SHI
- disk.
- Is it a game, delete the entire diskette or throw it
- away.
-
-
-
- Comments Undubiously the most common virus at all. One of the
- newer tricks is for example "Antivirus virus" up to
- V5.3 pops up a requester with the text:
-
- "Kill VIRUS" "OK" "CANCEL".
-
- A positive answer will then install the unprotected
- diskettes in drives with the virus BootBlock.
- Another commom request is to display:
-
- Disk in drive nn... is writeprotected.
-
-
- The expectation is you then will remove the
- writeprotection of the disk so it then can be
- installed by the resident virus.
-
- A very annoying fact is that some of the first
- discovered copies of the virus were showing a penis on
- the "Empty Screen".
- That induced somebody to make fun of it so it became
- wider spread.
-
- On the way a series of developements occurs. One of
- the most sophisticated of the viruses in this family
- is "Revenge Bootloader!" which leads to the next
- generation of bootblock viruses.
-
- Some of the newer developements as Lamer Exterminator
- and Rene will not show the empty screen, but are
- writing to disks instead or intend to install
- themselves at harddisks or install linkviruses at
- the harddisk.
- Beware of them,- if you unfortunately should run into
- them.
- THAT CAN BE DANGEROUS and inflict great parts of your
- work.
-
- Furthermore some of the mutations hides underlying
- linkviruses as the Saddam Disk-Validator. Sometimes
- VirusKillers will advice you only to have e.g.
- Australian Parasite, even though you have the SADDAM
- Disk-Validator, too.
- From the generation of the VirusZ-mutations, the boot
- viruses has grown into a new generation and you have
- to distinguish radically between those viruses making
- some noice on your speakers an these ones, never been
- seen before the damage. Though the travelling penis
- is rather old, the technique with a sprite isn't
- forgotten. In fact a strange pointer possibly
- indicates that your work during a long time is lost.
-
-
- TBH 04-94
-
-
-
