Burn 1 & 2 Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM
 


    ------------------------
    Amiga Virus Encyclopedia
    Burn 1 & 2 Virus 
    ------------------------


    BURN Virus 1(or TYP A like in VT):

    Increases filelength: 2412

    This virus is quite clever. It adds 2 hunks  to the file.
    The  first hunk will  be linked  before the file and  the
    other hunk will be added behind the file. The first  hunk
    creates a process with the data of the last hunk.DOSWRITE
    will be changed.

    I  could not manage to spread  the  virus. Everything was
    tried but  I could  not  figure out how  to  spread it. A
    real repairroutine was  not  included  in  VirusWorkshop,
    because I think that only one testfile is  too  less.  VW
    now only deletes the infected file.

    The linkroutine only knows a very low amount of hunks and
    is not the state of the art.

    The installed process has always another name,because the
    Exec Tasklist will be used to create the Procname.

    The virus contains a DATESTAMP routine. On 07.2.1994. the
    virus will start to destroy all DATA and no spredtry will
    be performed.

    The memorykill routine  fills up the process with  1037 *
    "RTS". All routines will be overwritten and no damage can
    be caused by this process. Other viruskillers try to rem.
    the process, but it`s much easier  only to deactivate  the
    thing.


    A formatroutine is  in  this  file.  The
    mainfile is  about 3000 bytes  longer than the real VirusZ
    version and  contains at the end of the  file  the  virus-
    code. The DOSlist will be scanned and several sectors will
    be  overwritten  via  EXECs  DOIO and  the blocks will  be
    filled  up with "BURN"s. The string "BURN" cannot be  read
    as  in  the Bossnuke Virus("DOS3"s).

    The longword will be created in this way:

    move.l        #$5171c5c8,d1
    eori.l        #$13249786,d1 ="BURN"

    The routine is very similar to another formatroutine,which
    appeared in the last weeks. This was the  Bossnuke  Virus.


                                 Detection tested on 18.1.1994.
                                 

    Special thanks go to Cranc/LOGIC for supplying me with the
    info about a virus in a fake version.


    BURN Virus 2(or TYP B like in VT):
    
    Increases an infected file by 2428 bytes.

    Differences to Version A:
    -------------------------
    A different time routine, but still the pure destroying-
    code will be activated at 7.Feb 1994. A little bit changed
    cryptroutine for the formatlw "BURN". Some changes in the
    infection(spread) routine. Due to  a  strong  bug  in  the
    cryptroutine for the longword "BURN", this word  will  be
    never created(Thanks must go  to  Ingo  Schmidt  for  this
    hint:You really not needed to trash a SYQUEST to test it).

    Version A did not spread ! Version B can be easily spread.

    Many mistakes in the code (hunks!). VirusWorkshop can fix
    (hopefully) all bugs made by this virus. It corrects the
    HUNK RELOC32. Make a copy before repairing this file !

    Many links are possible. I have stopped counting at 20
    links

                            Detection in RAM and file tested
                                                  09.02.1994.

    Special thanks must go J.Walker/TRSi for the really hyper-
    fast supply with this virus. Thanks again !

    Comment 26.09.1994: The linkroutine from the BURN 2(B) virus
    will be used by the viewtek22 virus (vtek22).


    Antivirus removal...: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
                          Kickstart all others: VirusZ III with Xvs.library installed


    Test by Markus Schmall

Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk