home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Amiga Plus 1995 #3 & #4
/
Amiga Plus CD - 1995 - No. 3 and 4.iso
/
pd
/
anti-virus
/
vib
/
virus
/
c
/
copylock
< prev
next >
Wrap
Text File
|
1995-07-20
|
3KB
|
75 lines
Name : CopyLock
Aliases : No Aliases
Type/Size : Boot/2048
Clones : No Clones
Symptoms : No Symptoms
Discovered : -
Way to infect: Boot infection
Rating : Dangerous
Kickstarts : 1.2/1.3/2.0
Damage : Overwrites boot + block 2 & 3.
Removal : Install boot.
Comments : If you are booting with a CopyLock-infected disk the
virus copies itself to adderss $7F400 and changes the
CoolCapture-Vector to stay resident. On the next reset
the with patches the DoIO()-Vector to infect other
disks.
Now Imagine you are inserting an unprotected disk with
e.g. the X-Copy boot block. Now, the virus does the
following:
1) Check for Write-Protection
2) Not protected: loads the bootblock form the current
disk (X-Copy-Boot) into address $7F800.
3) Saves 44 bytes from the original-bb in the own
viruscode and insert in this place a virus-loader
routine.
4) Then the virus cryptes itself with $DFF006 and
saves 2048 (!) bytes. (Original+Virus!).
Block 2,3 are now DAMAGED !! NO salvage possible.
If you are now booting with the infected disk the
virus-loader routine copies the virus from the block
2,3 in $7F400 and jumpes at $7F400. Then the virus
copies the modified original-bb into the address
$7F000 inserts the original code of the bb and
executes it.
The whole virus-bb is coded (See point 4). In the
decrypted virus you can read in the top of the boot
block:
"Copylock Amiga (c) Rob Northern. All rights "
"reserved."
In the end of the bootblock you can read:
"* YEP ROB NORTHERN ON THE BOARD ! MY COPYLOCKS"
"ARE FUCK. THE CRACKERS ARE BETTER THAN ME."
"THAT`S WHY I`M WRITING VIRUSES !!! (IN THE HOPE"
"THAT THEY ARE BETTER AS MY COPYLOCKS!) *"
A.D 04-94
