Eleni Bootblockvirus:
        ---------------------

        Length: 1024 bytes

        Patched vectors:-Coolcapture (always patched to $7f296)
                        -SumKickData (always patched to $7f32a)
                        -DoIO        (always patched to $7f2da)
                        The original value  of the DoIO  vector
                        will be stored at $7fa02.



        The original bootblock will be stored at sector 1738 and
        will be loaded from the virus and the virus jumps directly
        in the original bootcode. The virus contains a write
        routine, which writes the text "ELENI" (via DOIO). The
        writeroutine uses not the dos.library, pure DOIO action !

        At the start of the virus, the viruscode will be copied
        to $7f144 (without allocating the memory before). On
        system with low memory, it can happen very often, that
        the system crashes. The viruses uses the adress $60000
        as a flag for the textwriteroutine. The area $70000 and
        higher will be used from the virus without allocating
        the memory.

        The text "*ELENI*" is visible at the end of the file. In
        the middle you can read something about "Version 1.6".

        If the virus has read several times from sector 1738 and
        a counter (hardware) reached the value 1 , it will
        overtake the control of the drive(s) and manipulates CIA
        and the drivecontrol register.

        If the counter reached the value 4, the writeroutine for
        the "*ELENI*" string will be started. The counter is
        located at $dc002d. I don`t know, what is this for a
        register and I could not find out, if it is always init-
        ialized with the same value. On my AMIGA it contained
        the byte $f2.

        If a DoIO read access was caught, the infection routine
        will be started. If a DoIO write access was caught, the
        writeroutine will be started. In the NewDoIO routine,
        the virus handle with the CIA-A registers (powersupply
        ticks and interrupt control).

        Due to no checkroutine for Trdevice, the virus can
        destroy (in my opinion) the RDB.

        The infection routine reads the original bootblock to
        $70000, tests it and at success, the virus writes the
        original bootblock to the sector 1738 and copies itself
        to sector 0. The bootblock at sector 1738 will be saved
        non crypted.





                   Detection in BB & memory tested 18.05.1994.


        Test by Markus Schmall...

[Go back]