BURN Virus 1(or TYP A like in VT):
        ----------------------------------

        Increases filelength: 2412

        This virus is quite clever. It adds 2 hunks  to the file.
        The  first hunk will  be linked  before the file and  the
        other hunk will be added behind the file. The first  hunk
        creates a process with the data of the last hunk.DOSWRITE
        will be changed.

        I  could not manage to spread  the  virus. Everything was
        tried but  I could  not  figure out how  to  spread it. A
        real repairroutine was  not  included  in  VirusWorkshop,
        because I think that only one testfile is  too  less.  VW
        now only deletes the infected file.

        The linkroutine only knows a very low amount of hunks and
        is not the state of the art.

        The installed process has always another name,because the
        Exec Tasklist will be used to create the Procname.

        The virus contains a DATESTAMP routine. On 07.2.1994. the
        virus will start to destroy all DATA and no spredtry will
        be performed.

        The memorykill routine  fills up the process with  1037 *
        "RTS". All routines will be overwritten and no damage can
        be caused by this process. Other viruskillers try to rem.
        the process, but it`s much easier  only to deactivate  the
        thing.


        A formatroutine is  in  this  file.  The
        mainfile is  about 3000 bytes  longer than the real VirusZ
        version and  contains at the end of the  file  the  virus-
        code. The DOSlist will be scanned and several sectors will
        be  overwritten  via  EXECs  DOIO and  the blocks will  be
        filled  up with "BURN"s. The string "BURN" cannot be  read
        as  in  the Bossnuke Virus("DOS3"s).

        The longword will be created in this way:

        move.l        #$5171c5c8,d1
        eori.l        #$13249786,d1 ="BURN"

        The routine is very similar to another formatroutine,which
        appeared in the last weeks. This was the  Bossnuke  Virus.



                                        Detection tested on 18.1.1994.

        Special thanks go to Cranc/LOGIC for supplying me with the
        info about a virus in a fake version.



        BURN Virus 2(or TYP B like in VT):
        ----------------------------------

        Increases an infected file by 2428 bytes.



        Differences to Version A:
        -------------------------

        A different time routine, but still the pure destroying-
        code will be activated at 7.Feb 1994. A little bit changed
        cryptroutine for the formatlw "BURN". Some changes in the
        infection(spread) routine. Due to  a  strong  bug  in  the
        cryptroutine for the longword "BURN", this word  will  be
        never created(Thanks must go  to  Ingo  Schmidt  for  this
        hint:You really not needed to trash a SYQUEST to test it).

        Version A did not spread ! Version B can be easily spread.

        Many mistakes in the code (hunks!). VirusWorkshop can fix
        (hopefully) all bugs made by this virus. It corrects the
        HUNK RELOC32. Make a copy before repairing this file !

        Many links are possible. I have stopped counting at 20
        links.



                                Detection in RAM and file tested
                                                        09.02.1994.


        Special thanks must go J.Walker/TRSi for the really hyper-
        fast supply with this virus. Thanks again !


        Comment 26.09.1994: The linkroutine from the BURN 2(B) virus
        will be used by the viewtek22 virus (vtek22).



        Test by Markus Schmall


[Go back]