Name         : BootXKiller

     Aliases      : No Aliases

     Type/Size    : Boot/1024

     Clones       : No Clones

     Symptoms     : No Symptoms

     Discovered   : 05-01-92

     Way to infect: Via bootblock

     Rating       : Dangerous

     Kickstarts   : 1.2/1.3/2.0

     Damage       : Overwrites Boot, Datablocks

     Manifestation: A virus alert appears

     Removal      : Install boot.

     Comments     : The  BootXKiller virus  copies itself to addres $7FC00
                    and  changes the  Coolcapture to stay resident in mem-
                    ory.

                    First, the  virus  patches  the WaitPort()-Vector from
                    the   exec.library.   This   patch  is  just  used  to
                    initialize  the  Coolcapture  and  the  DoIo().

                    Then  the  virus  patches the OldOpenLibrary()-Vector.
                    The next library which  will  be opened beginning with
                    the letters "in" will be patched as following. Imagine
                    the "intuition.library" will  be opened, the virus now
                    patches the SetMenuStrip  and  the  Alert  Vector from
                    this  library.  When the  SetMenuStrip-Vector  will be
                    used the  next time, the virus checks for "Boot Tools"
                    as  the  title. If "Boot Tools" is the title to be set
                    the virus changes it into "BootX Killer". If this will
                    happen 3 times the virus will give out an alert:

                               "This is virus - BootX Killer"
                      "Fuck to all (I)diotic (B)ullshit (M)achine users"
                        "Send bug report to: Mr. Larmer of Wanted Team"
                                           "Poland"


                    To  infect  other  disks  the virus patches the DoIO()
                    vector from the exec.library:

                    The  next  time  a  Data-block  will  be  read  and  a
                    special  value  isn`t  zero  the  virus destroys it by
                    filling the block up with "BootXKiller".

                    Such blocks cannot be repaired....



     SHI - A.D 11-94

[Go back]