DiskValidator 1234 Virus (Saddam Clone) - Amiga Virus Encyclopedia

VIRUS HELP TEAM




---------------------------------------
Amiga Virus Encyclopedia    
DiskValidator 1234 Virus (Saddam Clone)
---------------------------------------


== Computer Virus Catalog 2.0: Saddam.diskval1234 Virus  (5-XII-1993) ===
Entry...............: Saddam.diskval1234 Virus
Alias(es)...........: Saddam 3
Virus Strain........: Saddam Virus Strain
      detected when.: ---
              where.: ---
Classification......: System virus (replacing), memory resident
Length of Virus.....: 1.Length on storage medium: 1848 byte
                      2.Length in RAM           : 1936 byte
--------------------- Preconditions -------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: 1.2/all, 1.3/all
Computer model(s)...: All AMIGA models
--------------------- Attributes ----------------------------------------
Easy identification.: typical text (in the file):
                      'DF1:',0
                      'DF1:l',0
                      'DF1:l/Disk-Validator',0
                      'strap',0
                      'mycon.write',0
                      'intuition.library',0
                      'trackdisk.device',0
Type of Infection...: Self-identification method: see Saddam.Original
                      System infection:           see Saddam.Original
Infection Trigger...: See Saddam.Original
Storage Media affec.: See Saddam.Original
Systemcalls hooked..: See Saddam.Original
Stealth.............:
Tunneling/Selfprot..:
Oligo/Polymorphism..:
Encoding Method.....:
Damage..............: Permanent damage:
                      1. If no Disk-Validator program exists on disk
                      or no L: directory, both are built (re-
                      placing Disk-Validator program on disk).
                      2. Virus destroys a block by writing $1234
                      at offset $5A and $4E71 (the opcode for
                      NOP) at the offsets $64 - $B8 over
                      existing data.
                      3. Virus makes Bitmap NOT VALID, so running
                      Disk-Validator next time will infect System.
                      4. Virus starts diskhead stepping in all floppy
                      drives and writing on disk (if writeable)
                      which will result in trackdisk errors.
                      Transient damage: Mouse pointer will disappear,
                      and an Alert will be displayed with text:
                      ' !T'. After pressing mouse
                      button, cold reset.
Damage Trigger......: Permanent damage: same as Saddam.Original virus:
                      1) insertion of a diskette
                      2) reading a Datablock
                      3) accessing rootblock
                      Transient damage: reading bootblock after a
                      certain time; same as Saddam.Original virus.
Particularities.....: This is an untypical Saddam clone, because (small)
                      pieces code has been changed and this clone
                      doesn't code it's copies, all texts can be read.
                      (see: Easy Identification)
Similarities........: Saddam virus strain
--------------------- Agents --------------------------------------------
Countermeasures.....: Virus Workshop V3.0, VT 2.58,
                      VirusZ 3.07 (calls it "Saddam 3")
Standard means......: VT 2.58, Virus Workshop V3.0
--------------------- Acknowledgements ----------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Jens Vogler
Documentation by....: Jens Vogler
Date................: 5-XII-1993
Information Source..: Reverse analysis of virus code
==================== End of Saddam.diskval1234 Virus ====================

Antivirus removal...: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
                      Kickstart all others: VirusZ III, and also Xvs.library must be installed





Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk