home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Amiga Plus 1995 #3 & #4
/
Amiga Plus CD - 1995 - No. 3 and 4.iso
/
pd
/
anti-virus
/
vib
/
virus
/
o
/
overkill
< prev
Wrap
Text File
|
1995-07-20
|
3KB
|
68 lines
Name : Overkill
Aliases : No Aliases
Type/Size : Boot/2048
Clones : No Clones
Symptoms : No Symptoms
Discovered : 23-10-92
Way to infect: Boot infection
Rating : Dangerous
Kickstarts : 1.2/1.3/2.0
Damage : Overwrites boot, block 2,3, DAMAGES blocks on disk
Removal : Install boot.
Comments : The Overkill-Virus works like the Digital Dream
virus. It saves the virus and the original boot by
writing 2048 bytes (block 0,1,2,3). Unfortunately
block 2,3 will be DAMAGED (No cure, sorry). So the
virus always executes the original boot, too, even
if the disk is infected. If you are booting with an
infected disk the virus does the following:
1) Copies a part of the virus to $7F700 and the
crypted virus bootblock to $7FB00.
2) After that the virus loads the original bootblock
(which is uncrypted) and executes it.
3) After execution the virus changes the kick and the
cool-vector to stay resident in memory.
4) Furthermore this vectors will be patched, too:
DoIO(), KickChkSum().
The KickChkSum-Patch sets the coolcapture-vector
always to the virusvalue.
The DoIO()-Vector is used to infect other disks.
NOW, imagine you are inserting an unprotected, clean
disk:
1) The virus FIRST executes a damage-routine.
- with the help of the $DFF006-Register a block
will be calculated.
- the virus damages this block by writing 2048
bytes from $7F700 (!!!!!!)
- That means, the calculated block AND THE BLOCK
BEHIND WILL BE DAMAGED --> No salvage possible.
- In such damaged blocks you can read:
"Overkill by the ENEMY!"
1) After that the virus loads the bootblock
(original BB) from the disk at address $7F000. Now,
the virus checks if the disk is already infected.
2) Now the virus writes 2048 bytes (virus+org. BB)
A.D 08-94
