======= Computer Virus Catalog 1.2: "BGS 9" Virus (5-June-1990) =======
Entry...............: "BGS 9" (=Bundesgrenzschutz Sektion 9) Virus
Alias(es)...........: ---
Virus Strain........: ---
Virus detected when.: June 1989
              where.: Elmshorn, FRG
Classification......: link virus (renaming), resident
Length of Virus.....: 1. length on storage medium: 2608 byte
                      2. length in RAM           : 2608 byte
--------------------- Preconditions -----------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: 1.2/33.166, 1.2/33.180, 1.3/34.5
Computer model(s)...: AMIGA 500, AMIGA 1000, AMIGA 2000A, AMIGA 2000B
--------------------- Attributes --------------------------------------
Easy Identification.: typical text: 'TTV1' at the end of the virus
                         (length is 2608 byte)
                      identification on disk: a file in ROOT- and/or
                         DEVS-directory is named with the following
                         unprintable string:
                         $A0,$A0,$A0,$20,$20,$20,$A0,$20,$20,$20,$A0,
                         length of first command in startup-sequence
                         seems to be altered to 2608 byte (because the
                         file isn't the original anymore)
Type of infection...: self-identification method: virus searches for a
                         file in devs- or root directory named with
                         the following unprintable string:
                         $A0,$A0,$A0,$20,$20,$20,$A0,$20,$20,$20,$A0
                      system infection: RAM resident, reset resident
Infection Trigger...: reset (CONTROL + Left-AMIGA + Right-AMIGA)
Storage media affected: bootable floppy disks ( 3.5'' and 5.25'' ),
                         bootable ram disks, bootable hard disks
Interrupts hooked...: ---
Damage..............: permanent damage: overwriting bootblock
                      transient damage: screen buffer manipulation:
                         screen becomes black, a graphic with following
                         text is shown:
                              'a computer virus is a disease
                               terrorism is a transgression
                               software piracy is a crime
                               this is the cure     BGS9
                               Bundesgrenzschutz Sektion 9
                               Sonderkommando "EDV"        '
Damage Trigger......: permanent damage: reset (CONTROL + LEFT-AMIGA +
                                                RIGHT-AMIGA)
                      transient damage: 4 resets (have to be run until
                         initial CLI window appears )
Particularities.....: other resident programs using the system resident
                         list (KickTagPointer,KickMemPointer) are
                         shutdown; name of its resident task is 'TTV1'
                         (see string in bootblock code) when the virus
                         doesn't find a DEVS directory, it uses the
                         root.
                      first command in startup-sequence is renamed to
                         a file named with the following unprintable
                         string: '$A0,$A0,$A0,$20,$20,$20,$A0,$20,$20,
                         $20,$A0' (in DEVS- or in root directory if
                         available) and the Virus is written to the
                         directory. the command comes from using the
                         same name, next time the virus will be called
                         first before the original command is executed.
Similarities........: ---
--------------------- Agents ------------------------------------------
Countermeasures.....: Names of tested products of Category 1-6:
                      Category 1: .2 Monitoring System Vectors:
                                     'CHECKVECTORS 2.2'
                                  .3 Monitoring System Areas:
                                     'CHECKVECTORS 2.2','GUARDIAN 1.2',
                                     'VIRUSX 4.0'
                      Category 2: Alteration Detection: ---
                      Category 3: Eradication: 'CHECKVECTORS 2.2',
                                     'BGS9-PROTECTOR', 'VIRUSX 4.0'
                      Category 4: Vaccine: 'BGS9-PROTECTOR'
                      Category 5: Hardware Methods: --
                      Category 6: Cryptographic Methods: ---
Countermeasures successful: 'CHECKVECTORS 2.2', 'BGS9-PROTECTOR'
Standard means......: 'CHECKVECTORS 2.2' (removal)
                       and creating two files named with the following
                       unprintable string '$A0,$A0,$A0,$20,$20,$20,$A0,
                       $20,$20,$20,$A0' for vaccinate disk (one file
                       has to be placed in the ROOT- and one in DEVS-
                       directory),
                      'BGS9-PROTECTOR'
--------------------- Acknowledgement ---------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Wolfram Schmidt, Alfred Manthey Rojas
Documentation by....: Alfred Manthey Rojas
Date................: 5-June1990
Information Source..: ---
===================== End of "BGS 9" Virus ============================

[Go back]