== Computer Virus Catalog 2.0: Saddam.diskval1234 Virus (5-XII-1993) === Entry...............: Saddam.diskval1234 Virus Alias(es)...........: --- Virus Strain........: Saddam Virus Strain detected when.: --- where.: --- Classification......: System virus (replacing), memory resident Length of Virus.....: 1.Length on storage medium: 1848 byte 2.Length in RAM : 1936 byte --------------------- Preconditions ------------------------------------- Operating System(s).: AMIGA-DOS Version/Release.....: 1.2/all, 1.3/all Computer model(s)...: All AMIGA models --------------------- Attributes ---------------------------------------- Easy identification.: typical text (in the file): 'DF1:',0 'DF1:l',0 'DF1:l/Disk-Validator',0 'strap',0 'mycon.write',0 'intuition.library',0 'trackdisk.device',0 Type of Infection...: Self-identification method: see Saddam.Original System infection: see Saddam.Original Infection Trigger...: See Saddam.Original Storage Media affec.: See Saddam.Original Systemcalls hooked..: See Saddam.Original Stealth.............: Tunneling/Selfprot..: Oligo/Polymorphism..: Encoding Method.....: Damage..............: Permanent damage: 1. If no Disk-Validator program exists on disk or no L: directory, both are built (re- placing Disk-Validator program on disk). 2. Virus destroys a block by writing $1234 at offset $5A and $4E71 (the opcode for NOP) at the offsets $64 - $B8 over existing data. 3. Virus makes Bitmap NOT VALID, so running Disk-Validator next time will infect System. 4. Virus starts diskhead stepping in all floppy drives and writing on disk (if writeable) which will result in trackdisk errors. Transient damage: Mouse pointer will disappear, and an Alert will be displayed with text: ' !T'. After pressing mouse button, cold reset. Damage Trigger......: Permanent damage: same as Saddam.Original virus: 1) insertion of a diskette 2) reading a Datablock 3) accessing rootblock Transient damage: reading bootblock after a certain time; same as Saddam.Original virus. Particularities.....: This is an untypical Saddam clone, because (small) pieces code has been changed and this clone doesn't code it's copies, all texts can be read. (see: Easy Identification) Similarities........: Saddam virus strain --------------------- Agents -------------------------------------------- Countermeasures.....: Virus Workshop V3.0, VT 2.58, VirusZ 3.07 (calls it "Saddam 3") Standard means......: VT 2.58, Virus Workshop V3.0 --------------------- Acknowledgements ---------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Jens Vogler Documentation by....: Jens Vogler Date................: 5-XII-1993 Information Source..: Reverse analysis of virus code ==================== End of Saddam.diskval1234 Virus ==================== [Go back]