------------------------
Amiga Virus Encyclopedia
Byte Bandit Plus Virus
------------------------
== Computer Virus Catalog 1.2: BYTE BANDIT PLUS Virus (5-June-1990) ===
Entry...............: BYTE BANDIT PLUS Virus
Alias(es)...........: BYTE BANDIT 3
Virus Strain........: BYTE BANDIT Virus
Virus detected when.: September 1989
where.: Elmshorn, FRG
Classification......: system virus (bootblock), resident
Length of Virus.....: 1. length on storage medium: 1024 byte
2. length in RAM : 1024 byte
--------------------- Preconditions -----------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: 1.2/33.166, 1.2/33.180 and 1.3/34.20
Computer model(s)...: AMIGA 500, AMIGA 1000, AMIGA 2000A, AMIGA 2000B
(and only with those memory expansions of
$0C000000 type)
--------------------- Attributes --------------------------------------
Easy Identification.: typical text: ---
Type of infection...: self-identification method: ---
system infection: RAM resident, reset resident,
bootblock
Infection Trigger...: reset (CONTROL + Left-AMIGA + Right-AMIGA)
operation: any disk access
Storage media affected: only floppy disks (3.5" and 5.25")
Interrupts hooked...: vertical blank interupt
Damage..............: permanent damage: overwriting bootblock, maybe
killing opened files when the screen and the
keyboard are shut off and the user has to
restart the computer using CONTROL+LEFT-AMIGA
+RIGHT-AMIGA keys; allocates available memory
minus 86016 byte
transient damage: screen buffer manipulation:
screen becomes dark, keyboard seems to mal-
function, transient damage may only be inter-
rupted by pressing a special key combination:
LEFT-ALT+LEFT-AMIGA (on newer AMIGAS the
COMMODORE key)+SPACE+RIGHT-AMIGA+RIGHT-ALT
(but the virus is still active )
Damage Trigger......: permanent damage: reset
operation: any disk access
transient damage: only under following condition:
2 resets AND 6 infections AND execution of
BYTE BANDIT's own interrupt routine 5208 times
(about 7 minutes)
Particularities.....: uses StartIOVector
other resident programs using the system resident
list (KickTagPointer,KickMemPointer) are shut
down
copy counter: 19th word
Similarities........: clone of BYTE BANDIT with some new code instead
of bootblock text, using undocumented system
adresses, manipulates background color, seems
to steel 86016 byte of system memory depending
from a counter at memory location $0007FC00
--------------------- Agents ------------------------------------------
Countermeasures.....: Names of tested products of Category 1-6:
Category 1: .2 Monitoring System Vectors:
'CHECKVECTORS 2.2'
.3 Monitoring System Areas:
'CHECKVECTORS 2.2','GUARDIAN 1.2',
'VIRUSX 4.0'
Category 2: Alteration Detection: ---
Category 3: Eradication: 'CHECKVECTORS 2.2',
'VIRUSX 4.0'
Category 4: Vaccine: ---
Category 5: Hardware Methods: ---
Category 6: Cryptographic Methods: ---
Countermeasures successful: 'CHECKVECTORS 2.2', 'GUARDIAN 1.2',
'VIRUSX 4.0'
Standard means......: 'CHECKVECTORS 2.2'
--------------------- Acknowledgement ---------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Alfred Manthey Rojas
Documentation by....: Alfred Manthey Rojas
Date................: 5-June-1990
Information Source..: ---
===================== End of BYTE BANDIT PLUS Virus ===================
Antivirus removal...: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
Ascii of ByteBandit Plus virus (Clone: Byte Bandit 3:
