home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Amiga Plus 1995 #3 & #4
/
Amiga Plus CD - 1995 - No. 3 and 4.iso
/
pd
/
anti-virus
/
vib
/
virus
/
b
/
bytebandit
< prev
next >
Wrap
Text File
|
1995-07-20
|
11KB
|
239 lines
Name : Byte Bandit
Aliases : Byte Bandit 1, Byte Bandit 2
Type/Size : Boot/1024
Clone : A lot of clones is made see later!!
Symptoms : No Symptoms
Discovered : 11-12-87
Way to infect: Boot infection
Rating : Less Dangerous
Kickstarts : 1.2/1.3
Damage : Overwrites boot.
Removal : Install boot.
Comments : This is the main entrance to all viruses in the
family of the "Byte Bandit".
The generic behavior of all of them is that they have
an alert programmed in the bootblock, but not always
shown. Furtermore they have a counter embedded in the
bootblock which will interrupt the system function
when this counter has been increased to a number of
enumeratings, depending on success to infect other
disks.
The Byte Bandit original virus uses the kick-vectors
to stay resident in memory. The virus uses the
BeginIO()-Vector from the trackdisk.dev. to infect
other disks. Additionally the virus patches the
Autointerrupt 5 to stop after 7 minutes the Amiga. By
minutes the Amiga. By pressing the L-ALT, L-AMIGA,
SPACE, R-AMIGA, R-ALT keys the virus will deinstall
this blockade. In the original Byte Bandit Bootblock
you can always read:
Virus by Byte Bandit in 9.87. number of copies:
Some subspecies are edited as clumsy that they only
will break the system down and not show a funny
picture or an animation. Generally you can bohold one
of the good copies to show your fellows, IF,- and
ONLY IF, you after your demonstration turn the main
power off for at least one minute. Then boot with
your usual SYStem diskette.
If you have an automounting or autobooting harddisk,
then DON'T DO THAT.
Clones Byte Bandit 1, Byte Bandit 2, Byte Bandit Clone,
ByteBanditError, ByteBanditPlus, Amiga Freak Virus,
Forpib, Morbid Angel, No bandit anymore, Powerbomb,
Inger IQ, Riska , Frity, Zaccess V2.0, Xeroxx, OP1,
Charlie Brown, Hireling Protector V1.0, Rude.Xeroxx,
SCA, SCA-2001, SCA-AIDS, SCA-Kefrens, SCA-Paratax,
SCArface, BS1!, ASYLANT, North Star I & II, VIPHS,
ICE SCA, Kefrens, Kefrens 2, LSD!, LamerBlame!,
Starfire/Northstar, Art Byte Bandit, ByteBanditPlus,
MAD, Mad I, Rude Xerox, MAD II, MAD IIa, MAD III,
H.C.S., Noname 1, Riska, Saddam Hussein, VKill 1.0,
ASV, Big Boss, Mexx, No head, No name 1, Revenge 1.2G,
BlackStar, ASS-Virus, A.S.S. 1.0, Alien New Beat,
Diskguard 1.0, Saddam Hussein Boot virus, BlowJob,
Ripper, JOSHUA 1, Blade Runners, Wahnfried, Hauke Jean
Marc.
The following are leading to the next generation of
viruses and are therefore cathegorized otherways.
PowerTeam,
System Z Antivirus virus up to V6.5, TELSTAR, OPAPA,
Sendarian, Revenge, Revenge Boot Loader,
Those have the graphics routine displaced with other
routines so look especially in their entrances.
Size The Byte Bandit is like most boot viruses, 1024 bytes
(two blocks, 0,1)
The Virus killer programmers are often forced to
distinguish between every byte and therefore they
have often points out very little differences within
a range of e.g. 180 Bytes.
This is not a problem concerning users, us for
instance, so therefore, We will skate, lightly over
that.
Symptoms Does conceivable allocate a senseless amount of memory
so that greater programs will not run. Some copies
generates some sound on the speakers and turns the
screen blue, red or yellow by hot reboot.
Some versions prevents in other way virus infected
diskettes with all known viruses (oct. 91) to be
bootable until a cold reboot.
Kickstarts Until last versions of 1.3 detected. PowerTeam can
infect System 2.x too. This means that it is not
interpendent to cooperate with trackdisk.device and
therefore possibly can infect autobooting harddisks.
(In contrast, you have to distinguish some of the last
versions which you must cathegorize in other families.
Boot loaders, socalled).
Damage Does conceivable damage open files when a reboot is
required, some late versions can possibly damage disks
(Refer the OPAPA virus e.g.)
Manifestation Pops up a blank screen, possibly with some varying
text ( hence all the names ).
Some versions opens a Window for requests as its
initial manifestation.
Typically it has a counter in the boot-block which
establishes a delay for activation of the graphic
routine generating the disparant colours.
(maybe more generally: Programming the custom chips
sometimes in a slushy way. E.g. after 2 resets or 6
diskchanges or a number of 250000 microticks reached.
Approximately seven minutes ).
The variety of OPAPA makes the drive engine stepping
and can this way damage the disk by scratching its
surface.
In this version at text will be shown:
I'M THE OPAPA-VIRUS!
READY
STEADY
FORMAT!
Though it doesn't format at all, it will be scaring
and the disk can be scratched and in this way
unusable.
The last versions of SystemZ and Telstar are in
conjunction with Revenge Bootloader and Sendarian
pointing out the future with more dangerous and
sophisticated viruses.
E.g. the Telstar virus writes:
" Warning: Disk contains a Virus! "
"Use install or another program to remove "
"the virus "
!- And remember,- the virus lies resident!
Removal Reinstall the diskette. Turn off the power from the
machine for at least 60 seconds. Controll ALL your
diskettes with the antivirus programmes on your SHI
disk.
Is it a game, delete the entire diskette or throw it
away.
Comments Undubiously the most common virus at all. One of the
newer tricks is for example "Antivirus virus" up to
V5.3 pops up a requester with the text:
"Kill VIRUS" "OK" "CANCEL".
A positive answer will then install the unprotected
diskettes in drives with the virus BootBlock.
Another commom request is to display:
Disk in drive nn... is writeprotected.
The expectation is you then will remove the
writeprotection of the disk so it then can be
installed by the resident virus.
A very annoying fact is that some of the first
discovered copies of the virus were showing a penis on
the "Empty Screen".
That induced somebody to make fun of it so it became
wider spread.
On the way a series of developements occurs. One of
the most sophisticated of the viruses in this family
is "Revenge Bootloader!" which leads to the next
generation of bootblock viruses.
Some of the newer developements as Lamer Exterminator
and Rene will not show the empty screen, but are
writing to disks instead or intend to install
themselves at harddisks or install linkviruses at
the harddisk.
Beware of them,- if you unfortunately should run into
them.
THAT CAN BE DANGEROUS and inflict great parts of your
work.
Furthermore some of the mutations hides underlying
linkviruses as the Saddam Disk-Validator. Sometimes
VirusKillers will advice you only to have e.g.
Australian Parasite, even though you have the SADDAM
Disk-Validator, too.
From the generation of the VirusZ-mutations, the boot
viruses has grown into a new generation and you have
to distinguish radically between those viruses making
some noice on your speakers an these ones, never been
seen before the damage. Though the travelling penis
is rather old, the technique with a sprite isn't
forgotten. In fact a strange pointer possibly
indicates that your work during a long time is lost.
TBH 04-94
