== Computer Virus Catalog 2.0: Saddam.diskval1234 Virus (5-XII-1993) ===
Entry...............: Saddam.diskval1234 Virus
Alias(es)...........: ---
Virus Strain........: Saddam Virus Strain
detected when.: ---
where.: ---
Classification......: System virus (replacing), memory resident
Length of Virus.....: 1.Length on storage medium: 1848 byte
2.Length in RAM : 1936 byte
--------------------- Preconditions -------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: 1.2/all, 1.3/all
Computer model(s)...: All AMIGA models
--------------------- Attributes ----------------------------------------
Easy identification.: typical text (in the file):
'DF1:',0
'DF1:l',0
'DF1:l/Disk-Validator',0
'strap',0
'mycon.write',0
'intuition.library',0
'trackdisk.device',0
Type of Infection...: Self-identification method: see Saddam.Original
System infection: see Saddam.Original
Infection Trigger...: See Saddam.Original
Storage Media affec.: See Saddam.Original
Systemcalls hooked..: See Saddam.Original
Stealth.............:
Tunneling/Selfprot..:
Oligo/Polymorphism..:
Encoding Method.....:
Damage..............: Permanent damage:
1. If no Disk-Validator program exists on disk
or no L: directory, both are built (re-
placing Disk-Validator program on disk).
2. Virus destroys a block by writing $1234
at offset $5A and $4E71 (the opcode for
NOP) at the offsets $64 - $B8 over
existing data.
3. Virus makes Bitmap NOT VALID, so running
Disk-Validator next time will infect System.
4. Virus starts diskhead stepping in all floppy
drives and writing on disk (if writeable)
which will result in trackdisk errors.
Transient damage: Mouse pointer will disappear,
and an Alert will be displayed with text:
' !T'. After pressing mouse
button, cold reset.
Damage Trigger......: Permanent damage: same as Saddam.Original virus:
1) insertion of a diskette
2) reading a Datablock
3) accessing rootblock
Transient damage: reading bootblock after a
certain time; same as Saddam.Original virus.
Particularities.....: This is an untypical Saddam clone, because (small)
pieces code has been changed and this clone
doesn't code it's copies, all texts can be read.
(see: Easy Identification)
Similarities........: Saddam virus strain
--------------------- Agents --------------------------------------------
Countermeasures.....: Virus Workshop V3.0, VT 2.58,
VirusZ 3.07 (calls it "Saddam 3")
Standard means......: VT 2.58, Virus Workshop V3.0
--------------------- Acknowledgements ----------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Jens Vogler
Documentation by....: Jens Vogler
Date................: 5-XII-1993
Information Source..: Reverse analysis of virus code
==================== End of Saddam.diskval1234 Virus ====================
[Go back]