VIRUS HELP TEAM Amiga Antivirus Website www.vht-dk.dk
------------------------
Amiga Virus Encyclopedia
Big Ben Virus
------------------------
Name : BigBen
Aliases : No Aliases
Type : Boot
Size : 1024 bytes
Clones : No Clones
Symptoms : No Symptoms
Discovered : 26-08-94
Way to infect: Via bootblock
Vectors : Exec() CoolDoIO, Exec() Findname, Exec() Replymsg,
Exec() Waitport, Exec() DoIO
Rating : Harmless
Kickstarts : 2.X/3.X
Damage : Overwrites Boot
Manifestation: A digital-watch appears
Removal : Install boot.
Comments : If you`re booting with an BigBen infected disk the
virus allocates fast memory and copies itself into
this area and changes the CoolCapture to stay resident
in memory. For infection the virus patches the DoIO()
vector from the exec.library additionally the virus
patches the WaitPort() and the ReplyMsg() Vector.
This vectors are just used to initialize the DoIO()
routine.
After 3 resets the virus brings up a DIGITAL-WATCH
while you`re booting.
The virus tries to read the time from a hardware chip,
which is not located at this adress on newer machines.
The virus allocates it`s memory correct and tests, if
the catched DoIO call comes from the trackdisk.device
or not. So only diskdrives will be infected and NOT
harddrives.
The way of patching the vectors is new on AMIGA. The
way of patching will be used on Intel Windows machines
in conjunction with background programms. This routine
is buggy, but works.
You can`t find any message in the bootblock.
Test made by : Markus Schmall & Safe Hex International
Screenshot of Big Ben virus:
Ascii of Big Ben virus:
Ascii of Big Ben virus:
