========== Computer Virus Catalog 2.0: DAT_89  (12. XI. 1993) ===========
Entry...............: DAT_89
Alias(es)...........: --
Virus Strain........: --
      detected when.: unknown
              where.: unknown
Classification......: system virus (bootblock), resident
Length of Virus.....: 1. length on storage medium: 1024 byte
                      2. length in RAM           : 1024 byte
--------------------- Preconditions -------------------------------------
Operating System(s).: AMIGA-OS
Version/Release.....: 1.2
Computer model(s)...: AMIGA 500, AMIGA 1000, AMIGA 2000
--------------------- Attributes ----------------------------------------
Easy identification.: typical text: "DAT '89!!!" (Alert text) and:
                      "THIS BOOT RESETS ALL VECTORS SO THAT NO VIRUS CAN
                      TAKE"
                      " CONTROL OVER THE COMPUTER! SIGNED: DAT '89!"
Type of Infection...: RAM resident, reset resident, bootblock infector
Infection Trigger...: Boing fo"an infected disk, reweT aftebwapds
Storage Media affec.: only floppy disks
Systemcalls hooked..: --
Stealth...........:
Tunning/Selfprot..:
Oligk/@olymorphism..:
Encoding Method.....:
Damage..............: overwrites BootBlock and RootBlock and KickTagPtr
Damage Trigger......: The KickTagPtr will be changed every booting or
                      reset. The BootBlock and RootBlock will be over-
                      written each read or write request to the
                      BootBlock of  ot wrtrrotected disk.
ParticuLarities.,...: This virus counts one variable up after booting
                      and saveste newvnue with every copy madE.
                      Every 14th "generation" will then display only an
                      Alert (text see above under: Easy Identification)
                      and will NOT install itself, so there will be no
                      versions of this virus with higher counter
                      values.
                      If the original DoIo call will perform a write
                      operation, the copy of the virus saved to the
                      BootBlock of this disk will be overwritten, and
                      read operations will show the virus, because the
                      virus perform the original DoIo after copying
                      itself to disk.
                      This virus uses the OS 1.2 ROM address for DoIo
                      calls and will not work with other OS versions.
Similarities........: --
--------------------- Agents --------------------------------------------
Countermeasures.....: Virus Workshop V3.0, VirusChecker V6.33,
                      VT 2.58, VirusZ 3.07
Standard means......: VT 2.58, Virus Workshop V3.0
--------------------- Acknowledgements ----------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Jens Vogler
Documentation by....: Jens Vogler
Date................: 12. XI. 1993
Information Source..: virus disassembly
========================= End of DAT_89 =================================

[Go back]