------------------------
Amiga Virus Encyclopedia
Disk-Validator Virus
------------------------
======== Computer Virus Catalog 1.2: SADDAM Virus (31-July-1993) =======
Entry...............: SADDAM Virus
Alias(es)...........: IRAK = Saddam Hussein = Disk-Validator Virus
Virus Strain........: Saddam Virus Strain
Virus detected when.: March 1991
where.: Australia
Classification......: System virus (replacing), memory resident
Length of Virus.....: 1.Length on storage medium: 1848 bytes
2.Length in RAM : 1936 bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: 1.2/all, 1.3/all
Computer model(s)...: All AMIGA models
--------------------- Attributes ---------------------------------------
Easy Identification.: ---
Type of infection...: Self-identification method: virus searches for an
encryption-byte in Disk-Validator system program
on disk that fits with its own.
System infection: virus replaces system program
Disk-Validator in L:. Directory on disk contains
following system routines/vectors:
System routines: - BeginIO(trackdisk.device)
- Close(trackdisk.device)
- InitResident(exec.library)
- OpenWindow(intuition.library)
System vectors: - ColdCapture(execbase)
- CoolCapture(execbase)
- KickTagptr(resident-struct.)
Infection Trigger...: Restart validator starts Disk-Validator program,
when Bitmap on disk is not valid. This will not
work properly with Amiga OS Version 2.0, as
there is no Disk-Validator program use (no re-
start validator process in AmigaOS V2.0)
Storage media affected: Any floppy disk (every trackdisk.device)
Interrupts hooked...: Vertikal Blank interrupt works like a watchdog,
which guarantees that virus will stay in memory.
Damage..............: Permanent damage:
1. If no Disk-Validator program exists on disk
or no L: directory, both are built (re-
placing Disk-Validator program on disk).
2. Virus destroys a block by writing "IRAK"
over existing data.
3. Virus makes Bitmap NOT VALID, so running
Disk-Validator next time will infect System.
4. Virus starts diskhead stepping in all floppy
drives and writing on disk (if writeable)
which will result in trackdisk errors.
Transient damage: Mouse pointer will disappear,
and an Alert will be displayed with text:
"SADDAM VIRUS". After pressing mouse
button, cold reset.
Damage Trigger......: Permanent damage:
1) insertion of a diskette
2) reading a Datablock
3) accessing rootblock
Transient damage: reading bootblock after a
certain time.
Particularities.....: 1) No infection occurs when using FastFilingSystems
or running AmigaOS Version 2.0.
2) Virus uses direct Dos.Library Jumps. Encrypts
itself with pseudo random number upon infection.
3) Virus installs a message port which called
"mycon.write".
Similarities........: All numbered SADDAMs (SADDAM 4, SADDAM 5, ...)
are just differently decrypted original SADDAMs.
--------------------- Agents -------------------------------------------
Countermeasures.....: VirusZ 3.06, VT 2.54, VirusChecker 6.28
Countermeasures successful: VirusZ 3.06, VT 2.54, VirusChecker 6.28
Standard means......: VT 2.54
--------------------- Acknowledgement ----------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Oliver Meng
Documentation by....: Oliver Meng, Update by Jens Vogler
Date................: 31-July-1993
Information Source..: ---
===================== End of SADDAM Virus ==============================
Antivirus...........: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III v1.04B or higher, and also Xvs.library v33.47 or higher
More information:
A Disk-Validator-Virus is a special virus-type on the Amiga. To understand how Disk-Validator-Viruses work,
you have first to understand what a Disk-Validator does: The Disk-Validator is a 1848 byte long executable
file which has been developed by Commodore itself. It is located in a directory called L on a disk, or let's
say expected by the AmigaOS in a directory called L, and has the filename Disk-Validator (surprise :-)).
If you enter a disk which has been invalidated1 the AmigaOS will automatically look for the Disk-Validator
on this disk and loads and executes it automatically if found. Then the program will correct the Rooblock so
the disk is in a valid state afterwards.
The Disk-Validator is not mandatory, this means that if a disk doesn't have this file it just won't be loaded
and the disk stays invalid (a requester will tell you that the disk is in an invalid state and you need to correct it):
To cut a long story short:
* If a disk is in an invalid state the AmigaOS will look for a small program called L:Disk-Validator
* If not found the AmigaDOS will pop-up a requester telling you that something is wrong with the disk
* If found the program will be loaded an executed. Then the program will try to solve the problem on the just inserted disk.
Disk-Validator-Viruses take advantage of the AmigaOS automatism which loads and executes this file by making the disk
deliberately invalid2 and writing its virus file as L:Disk-Validator on this disk. Next time you enter it the AmigaOS checks
if it is invalid. It is and therefore the AmigaOS loads and executes the program Disk-Validator automatically but this time
it is the virus itself!
The brilliant3 idea behind that is that the virus becomes active just by inserting an infected disk. No need to start an
infected file or booting with an infect disks - even better: the AmigaOS itself becomes active and handles the execution
automatically.
The good news is that Disk-Validator-Viruses are only working on Amigas until Kickstart 1.3 because in later Kickstart
revisions (2.0, 3.0, 3.1 etc..) Commodore integrated the Disk-Validator in the ROM, so there is no need to load the
Disk-Validator as a seperate applicaton anymore. Even if there is a Disk-Validator on disk, it simply will be ignored.
Screenshot of Saddam Virus:
To cut a long story short:
* If a disk is in an invalid state the AmigaOS will look for a small program called L:Disk-Validator
* If not found the AmigaDOS will pop-up a requester telling you that something is wrong with the disk
* If found the program will be loaded an executed. Then the program will try to solve the problem on the just inserted disk.
Disk-Validator-Viruses take advantage of the AmigaOS automatism which loads and executes this file by making the disk
deliberately invalid2 and writing its virus file as L:Disk-Validator on this disk. Next time you enter it the AmigaOS checks
if it is invalid. It is and therefore the AmigaOS loads and executes the program Disk-Validator automatically but this time
it is the virus itself!
The brilliant3 idea behind that is that the virus becomes active just by inserting an infected disk. No need to start an
infected file or booting with an infect disks - even better: the AmigaOS itself becomes active and handles the execution
automatically.
The good news is that Disk-Validator-Viruses are only working on Amigas until Kickstart 1.3 because in later Kickstart
revisions (2.0, 3.0, 3.1 etc..) Commodore integrated the Disk-Validator in the ROM, so there is no need to load the
Disk-Validator as a seperate applicaton anymore. Even if there is a Disk-Validator on disk, it simply will be ignored.
Screenshot of Saddam Virus:
