Datalock 1.01 and Datalock 1.02 viruses :
        -----------------------------------------

        Both viruses are VERY agressive and contain very powerfull
        destructionroutines.

        Both viruses use direct adress accessing to $7fXXX and
        do not need the "trackdisk.device". I have killed two of my
        harddiscs (one including my WHOLE VirusWorkshop sources) but
        I had luckily made a backup 4 days ago. Phew.

        DoIo always at $7f858
        Kicktag always at $7fade

        Very tricky new decoding routine, which will be changed before.
        Nice... The viruses killed my RDB on a SCSI-II harddisc and killed
        some sectors by overwriting it with some stuff.

        The bootblock and another 1024 bytes (V1.02) will be written.
        At V1.02 there will be 4 KB written to the bootblock. A very wide
        destruction.

        The V1.01 has an additional destruction routine, which kills the
        sectors 890-893. At sector 880 there is on  normal DD discs  the
        ROOTBLOCK (directory). It`s therefore possible that very important
        directory blocks will be killed by this virus.

        The V1.02  has a  different  destruction  routine. 4 blocks, which
        will calculated using a random routine will be killed by over-
        writing some memorygarbage.



        At the end of the virus, you can read (decrypted):

        "Datalock 1.1 (C) `94 ALL (?) code by Deathcode."



                                         Detection tested on 08.02.1994.

        Test by Markus Schmall

[Go back]