Amiga Virus Encyclopedia
Burn 1 & 2 Virus
BURN Virus 1(or TYP A like in VT):
Increases filelength: 2412
This virus is quite clever. It adds 2 hunks to the file.
The first hunk will be linked before the file and the
other hunk will be added behind the file. The first hunk
creates a process with the data of the last hunk.DOSWRITE
will be changed.
I could not manage to spread the virus. Everything was
tried but I could not figure out how to spread it. A
real repairroutine was not included in VirusWorkshop,
because I think that only one testfile is too less. VW
now only deletes the infected file.
The linkroutine only knows a very low amount of hunks and
is not the state of the art.
The installed process has always another name,because the
Exec Tasklist will be used to create the Procname.
The virus contains a DATESTAMP routine. On 07.2.1994. the
virus will start to destroy all DATA and no spredtry will
The memorykill routine fills up the process with 1037 *
"RTS". All routines will be overwritten and no damage can
be caused by this process. Other viruskillers try to rem.
the process, but it`s much easier only to deactivate the
A formatroutine is in this file. The
mainfile is about 3000 bytes longer than the real VirusZ
version and contains at the end of the file the virus-
code. The DOSlist will be scanned and several sectors will
be overwritten via EXECs DOIO and the blocks will be
filled up with "BURN"s. The string "BURN" cannot be read
as in the Bossnuke Virus("DOS3"s).
The longword will be created in this way:
eori.l #$13249786,d1 ="BURN"
The routine is very similar to another formatroutine,which
appeared in the last weeks. This was the Bossnuke Virus.
Detection tested on 18.1.1994.
Special thanks go to Cranc/LOGIC for supplying me with the
info about a virus in a fake version.
BURN Virus 2(or TYP B like in VT):
Increases an infected file by 2428 bytes.
Differences to Version A:
A different time routine, but still the pure destroying-
code will be activated at 7.Feb 1994. A little bit changed
cryptroutine for the formatlw "BURN". Some changes in the
infection(spread) routine. Due to a strong bug in the
cryptroutine for the longword "BURN", this word will be
never created(Thanks must go to Ingo Schmidt for this
hint:You really not needed to trash a SYQUEST to test it).
Version A did not spread ! Version B can be easily spread.
Many mistakes in the code (hunks!). VirusWorkshop can fix
(hopefully) all bugs made by this virus. It corrects the
HUNK RELOC32. Make a copy before repairing this file !
Many links are possible. I have stopped counting at 20
Detection in RAM and file tested
Special thanks must go J.Walker/TRSi for the really hyper-
fast supply with this virus. Thanks again !
Comment 26.09.1994: The linkroutine from the BURN 2(B) virus
will be used by the viewtek22 virus (vtek22).
Antivirus removal...: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
Test by Markus Schmall