Debugger (04191994) Virus:
        --------------------------


        An infected file becomes 1088 bytes long.
        Changed vectors: DosWrite and DosLoadSeg
        Kickstart: 2.04 and higher
        other possible name: Fjpg Virus 1.11 (based on the first
        infected programm)


        The virus does not work on Kickstart versions under 2.0, because
        of the patchroutines. A new way to infect files:

        186 bytes from the first hunk will be copied in a new created
        $3f1 hunk behind the file and a part of the virus will be
        copied at this position in the first hunk. The length of the
        first hunk will be not changed but the length entries in the
        hunkheader will be changed (probably to irritate antivirus-
        programmers and resourcers). This will be done with a random
        value !!!

        The virus contains a destruction routine ! No format but a
        destructive WRITE command !

        VirusWorkshop can remove the virus completely. Please make a
        backup before repairing such a file !

        A normal hunkheader looks like this:

        $3f3
        0
        number of hunks
        number of starthunk
        number of endhunk
        n longwords containing the lengths of the hunks

        ---
        $3e9 (hunk_code)
        length for this hunk

        ATTENTION: Some crunchers (Turbo Imploder e.g.) write 2 different
        lengths in the table of hunklengths and behind the $3e9 ! I
        expect in this special case problems !

        At the end of an infected file you can read the string "DEBUGGER".
        The whole virus looks like the work of a better coder (in my
        opinion).

        This virus was send to me by Jan Bo Andersen of SHI Denmark. The
        sending contained the whole documantated source and a little
        text from the author of this virus:

---------------------------------------------------------------------------

       Anarchy Unlimited - Virus Technology Centre - +358-0-PRIVATE

                         Amiga & PC viruses online

 =========================================================================

 Thank you for downloading Debugger V2 virus package!

 Debugger02.s.asc  - PGP signed asm source of Debugger virus
 EvilJesus.asc     - Public PGP key
 FJPEG111.lha      - Infected fjpeg, version number bumped up to 1.11
 NewAge.s.asc      - PGP signed asm source of NewAge virus

 Upload fjpeg only to systems which do not have networks! Those systems
 will have lowest information level and sysop are mostly dummies who bought
 modem week ago and decided to run bbs because "It's so cool" :)

 With this kind of approach virus will have best chance to reach users who
 want to upload it immediately. There is also a big chance that such users
 will trash their hd's in no time. So nice...

 So no network system as information about infection will spread very fast
 degrading overall chance of succesful destruction.

 Sincerely yours, Evil Jesus

 =========================================================================

----------------------------------------------------------------------------


        Even more irritating is, that PGP keys are in the package, too. I
        cannot understand this. The virus is dated 19.04.1994.





        Test by Markus Schmall          Detection tested 27-28.04.1994.
                                        (again a night with only 3 hours
                                         of sleep)

[Go back]