home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Amiga Plus 1995 #3 & #4
/
Amiga Plus CD - 1995 - No. 3 and 4.iso
/
pd
/
anti-virus
/
vib
/
virus
/
g
/
glasnost
< prev
next >
Wrap
Text File
|
1995-07-20
|
3KB
|
79 lines
Name : Glasnost
Aliases : No Aliases
Type/Size : Boot/2048
Clones : No Clones
Symptoms : No Symptoms
Discovered : 23-06-92
Way to infect: Boot infection
Rating : Dangerous
Kickstarts : 1.2/1.3/2.0
Damage : Overwrites boot + block 2 & 3.
Removal : Install boot.
Comments : If you are booting with a Glasnost-infected disk the
virus copies itself to $7F000 and changes the KICK-
Vectors to stay resident. On the next reset the virus
patches the DoIO()-Vector to infect other disks.
Now imagine you are inserting an unprotected disk with
e.g. the X-Copy Bootblock. Now, the virus does the
following:
1) Check for Write-Protection
2) Not protected: loads the bootblock form the current
disk (X-Copy-Boot).
3) Saves 44 bytes from the original-bb in the own
viruscode and insert in this place a virus-loader
routine.
4) The virus saves 2048 bytes. (Virus+OrgBB)
Block 2,3 are now DAMAGED !! NO salvage possible. If
you are now booting with the infected disk the virus-
loader routine copies the virus from the block 2,3 in
$7F000 and jumpes at $7F000. Then the virus inserts
the original code of the BB and executes it.
Additionally the virus installs a new patch in the
ZERO-PAGE ($6C) and will damages a block on every
infection:
First, the virus caclulates a block with the $DFF006
register. In this block the virus inserts the
following longwords from $100:
$11111111; $22222222; $44444444; $88888888
The ZERO-PAGE (see above) routine does the following:
1) Checks if a value reaches 45000 if this was true
the virus blockades the system.
2) If the value becomes 60000 the virus shows some
colors on the screen and make an endless loop. (You
need a reset to escape from this routine!!)
In block 3 you can read:
"Glasnost VIRUS by Gorba!! First release"
A.D 05-94
