DOOM Filevirus - Amiga Virus Encyclopedia

VIRUS HELP TEAM




    ------------------------
    Amiga Virus Encyclopedia
    DOOM Filevirus
    ------------------------


    DOOM Filevirus:
    
    Kickstart 1.x: probably not working based on very high DOS Jmps.
    Kickstart 2.0: working
    Kickstart 3.0: working
    Kickstart 3.1: working
    MC68040             : working

    Installer: clx_doom.exe (406012 bytes packed Stc 4.10.2)

    New created files:

              -sys:c/assign (3220 bytes unpacked)
               This is the original 37.4 assign command (25.5.91)
               with the linked virus. The hunklength are manipulated,
               so don`t wonder about the same lenght as the
               original.

              -sys:c/copy   (5496 bytes unpacked)
               This is the original 38.1 copy command (20.05.92)
               with the linked virus.

              -sys:libs/diskfont.library (15820 bytes unpacked)
               This is the original library V39.3 (14.07.92) with
               the linked virus.


    The original Diskfont.library is 15340 bytes long. As a result
    the virus is 480 bytes long.

    This file is spreaded as AMIGA DOOM by Complex. But it not even
    creates some output except from the virus.

       @{b}File ID:@{ub}

              ______________  /\_________   _______  /\_
             /    ______ /  \/  \____   \|-/  _____\/__/
            /    |_/   |/        /   ___/|/   _|_/    \_
            \______\____\  /\/\__\___|\___¯\____\__/\  /
              ----\/-p-r-\/s-e-n-t-s------\/---\/----\/
                           Amiga Doom!
                   Coded by Gengis / Complex!

    The main programm is  extremly lame coded. A DMS file can be
    found in the file,  whith some Mapus banners hanging around
    and some IFF sound samples.  At the beginning, all texts and
    some other parts will be  decoded using  a  lame  cryptloop.
    Then the files will  be saved and some filecomments will  be
    set  (set "RESTICTED" to bbs:user.data  & to  bbs:user.key).

    The DMS file was uploaded  to a quite known BBS on 26.05.94.
    Atleast  this banner  can be found in  the  header.  Another
    file is in the maincode, which is an intro.  In  this  intro
    you can read some texts from Melon Dezign.

    The virus checks for higher  processors and read the VBR and
    installs a new interrupt in the $74 vector in the vectorpage.
    This is new. Nearly all other  viruses only patch the vector-
    page.

    This new interrupt increases a  variable until it has reached
    30000. As long as this value is not in the variable,  it will
    be tried to manipulate the $dff030 register. The $dff030 will
    be only changed,  if a special string ,  which adress will be
    calculated using the SerDat register($dff018) and an internal
    counter, will be found(string=$6c554e69544963210d).

    I think that it is something like hacking programm or a
    special programm to manipulate the datatransfer from the
    serial port.

    No other texts were found in the virus.

    Removal: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
             Kickstart all others: VirusZ III, and also Xvs.library must be installed


                            Detection in files tested 16.07.1994.
               Detection in memory and removal tested 17.07.1994.


    Test by Markus Schmall


    


Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk