------------------------
Amiga Virus Encyclopedia
Debugger Virus
------------------------
Debugger (04191994) Virus:
An infected file becomes 1088 bytes long.
Changed vectors: DosWrite and DosLoadSeg
Kickstart: 2.04 and higher
Other possible name: Fjpg Virus 1.11 (based on the first infected programm)
The virus does not work on Kickstart versions under 2.0, because of the
patchroutines. A new way to infect files:
186 bytes from the first hunk will be copied in a new created $3f1 hunk
behind the file and a part of the virus will be copied at this position in
the first hunk. The length of the first hunk will be not changed but the
length entries in the hunkheader will be changed (probably to irritate
antivirus-programmers and resourcers). This will be done with a random
value !!!
The virus contains a destruction routine! No format but a destructive WRITE
command !
VirusWorkshop can remove the virus completely. Please make a backup before
repairing such a file !
A normal hunkheader looks like this:
$3f3
0
number of hunks
number of starthunk
number of endhunk
n longwords containing the lengths of the hunks
---
$3e9 (hunk_code)
length for this hunk
ATTENTION: Some crunchers (Turbo Imploder e.g.) write 2 different lengths
in the table of hunklengths and behind the $3e9! I expect in this special
case problems !
At the end of an infected file you can read the string "DEBUGGER". The
whole virus looks like the work of a better coder (in my opinion).
This virus was send to me by Jan Bo Andersen of SHI Denmark. The sending
contained the whole documantated source and a little text from the author
of this virus:
-------------------------------------------------------------------------
Anarchy Unlimited - Virus Technology Centre - +358-0-PRIVATE
Amiga & PC viruses online
========================================================================
Thank you for downloading Debugger V2 virus package!
Debugger02.s.asc - PGP signed asm source of Debugger virus
EvilJesus.asc - Public PGP key
FJPEG111.lha - Infected fjpeg, version number bumped up to 1.11
NewAge.s.asc - PGP signed asm source of NewAge virus
Upload fjpeg only to systems which do not have networks! Those systems
will have lowest information level and sysop are mostly dummies who bought
modem week ago and decided to run bbs because "It's so cool" :)
With this kind of approach virus will have best chance to reach users who
want to upload it immediately. There is also a big chance that such users
will trash their hd's in no time. So nice...
So no network system as information about infection will spread very fast
degrading overall chance of succesful destruction.
Sincerely yours, Evil Jesus
=========================================================================
Even more irritating is, that PGP keys are in the package, too. I cannot
understand this. The virus is dated 19.04.1994.
Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III, and also Xvs.library must be installed
Test by Markus Schmall Detection tested 27-28.04.1994.
(again a night with only 3 hours
of sleep)
