DOOM File virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM
 


    ------------------------
    Amiga Virus Encyclopedia
    DOOM Filevirus
    ------------------------
    
    
    DOOM Filevirus:
    
    Kickstart 1.x: probably not working based on very high DOS Jmps.
    Kickstart 2.0: working
    Kickstart 3.0: working
    Kickstart 3.1: working
    MC68040             : working

    Installer: clx_doom.exe (406012 bytes packed Stc 4.10.2)

    New created files:

             -sys:c/assign (3220 bytes unpacked)
              This is the original 37.4 assign command (25.5.91)
              with   the  linked   virus.  The  hunklength   are
              manipulated, so don`t wonder about the same lenght
              as the original.

             -sys:c/copy   (5496 bytes unpacked)
              This is  the original 38.1 copy command (20.05.92)
              with the linked virus.

             -sys:libs/diskfont.library  (15820  bytes unpacked)
              This is the original library V39.3 (14.07.92) with
              the linked virus.


    The  original  Diskfont.library  is  15340  bytes long. As a
    result the virus is 480 bytes long.

    This  file  is spreaded as AMIGA DOOM by Complex. But it not
    even creates some output except from the virus.

    File ID:

          ______________  /\_________   _______  /\_
         /    ______ /  \/  \____   \|-/  _____\/__/
        /    |_/   |/        /   ___/|/   _|_/    \_
        \______\____\  /\/\__\___|\___¯\____\__/\  /
          ----\/-p-r-\/s-e-n-t-s------\/---\/----\/
                       Amiga Doom!
               Coded by Gengis / Complex!

    The main programm is extremly lame coded. A DMS file can be
    found in the file,  whith some Mapus banners hanging around
    and some IFF sound samples. At the beginning, all texts and
    some other parts will be decoded using  a  lame  cryptloop.
    Then the files will be saved and some filecomments will  be
    set  (set "RESTICTED" to bbs:user.data & to  bbs:user.key).

    The DMS file was  uploaded to a quite known BBS on 26.05.94
    Atleast this banner  can be found in  the  header.  Another
    file is in the maincode, which is an intro. In  this  intro
    you can read some texts from Melön Dezign.

    The virus checks for higher  processors and read the VBR and
    installs a new interrupt in the $74 vector in the vectorpage
    This is new. Nearly all other viruses only patch the vector-
    page.

    This new interrupt increases a variable until it has reached
    30000. As long as this value is not in the variable, it will
    be tried  to manipulate  the  $dff030 register.  The $dff030
    will be only changed, if a special string, which adress will
    be  calculated  using the  SerDat  register ($dff018) and an
    internal counter, will be found:
    (string=@{b}$6c554e69544963210d@{ub}).


    I think  that  it  is something  like  hacking programm or a
    special programm to  manipulate  the  datatransfer  from the
    serial port.


    No other texts were found in the virus.

                             Detection in files tested 16.07.1994
                             Detection in memory and removal


    Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
             Kickstart all others: VirusZ III with Xvs.library installed
            
            
    Test by Markus Schmall                      tested 17.07.1994
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk