DOOM Filevirus:

        Kickstart 1.x: probably not working based on very high DOS Jmps.
        Kickstart 2.0: working
        Kickstart 3.0: working
        Kickstart 3.1: working
        MC68040             : working

        Installer: clx_doom.exe (406012 bytes packed Stc 4.10.2)

        New created files:

                  -sys:c/assign (3220 bytes unpacked)
                   This is the original 37.4 assign command (25.5.91)
                   with the linked virus. The hunklength are manipulated,
                   so don`t wonder about the same lenght as the

                  -sys:c/copy   (5496 bytes unpacked)
                   This is the original 38.1 copy command (20.05.92)
                   with the linked virus.

                  -sys:libs/diskfont.library (15820 bytes unpacked)
                   This is the original library V39.3 (14.07.92) with
                   the linked virus.

        The original Diskfont.library is 15340 bytes long. As a result
        the virus is 480 bytes long.

        This file is spreaded as AMIGA DOOM by Complex. But it not even
        creates some output except from the virus.

           File ID:

                  ______________  /\_________   _______  /\_
                 /    ______ /  \/  \____   \|-/  _____\/__/
                /    |_/   |/        /   ___/|/   _|_/    \_
                \______\____\  /\/\__\___|\___¯\____\__/\  /
                               Amiga Doom!
                       Coded by Gengis / Complex!

        The main programm is extremly lame coded. A DMS file can be
        found in the file, whith some Mapus banners hanging around
        and some IFF sound samples. At the beginning, all texts and
        some other parts will be decoded using  a  lame  cryptloop.
        Then the files will be saved and some filecomments will  be
        set  (set "RESTICTED" to & to  bbs:user.key).

        The DMS file was uploaded to a quite known BBS on 26.05.94.
        Atleast this banner  can be found in  the  header.  Another
        file is in the maincode, which is an intro. In  this  intro
        you can read some texts from Melön Dezign.

        The virus checks for higher processors and read the VBR and
        installs a new interrupt in the $74 vector in the vectorpage.
        This is new. Nearly all other viruses only patch the vector-

        This new interrupt increases a variable until it has reached
        30000. As long as this value is not in the variable, it will
        be tried to manipulate the $dff030 register. The $dff030 will
        be only changed, if a special string , which adress will be
        calculated using the SerDat register($dff018)and an internal
        counter, will be found(string=@{b}$6c554e69544963210d@{ub}).

        I think that it is something like hacking programm or a
        special programm to manipulate the datatransfer from the
        serial port.

        No other texts were found in the virus.

                                Detection in files tested 16.07.1994.
                                Detection in memory and removal
                                                   tested 17.07.1994.
        Test by Markus Schmall

[Go back]