------------------------
Amiga Virus Encyclopedia
Genestealer Virus
------------------------
Name : Genestealer
Aliases : No Aliases
Clones : No Clones
Type : Bootblock
Size : 1024 bytes
Symptoms : Like it is a KS 1.3 with NTSC specifications?
Discovered : 23 april 1992
Way to infect: Boot infection
Rating : Dangerous
Kickstarts : 1.2
1.3
2.0
Damage : Overwrites boot + Rootblock
Comments : Infects every none write-protected disk inserted in
any drive. Can probably DAMAGE harddisks.
The virus tests the frequency on the El-net. In this
way the Amiga system distinguishes between American
and European (NTSC/PAL) systems and if it isn't
American the Rootblock can probably be damaged.
Sometimes the Amiga can't detect either it works in
Europe or in the US under Sys-1.3. It will then open
its initial screen in NTSC in Europe.
Most likely the virus will behave that way, too, and
that's no good.
The Genestealer-Virus copies itself always to the same
memory-address => $7EC00. It uses the CoolCapture to
stay resident in memory . For infection the virus
patches the DoIO()-Vector from the exec.library.
When the virus is active it pretends to be a normal
DOS-Bootblock. The virus checks for a value in the
Vertikal-Blank-Int. If this value isn`t 50 the virus
destroys the rootblock (Only DD-Disks!). If you are
pressing the left mouse-button while you are booting
the virus executes an endless-loop by showing a green
screen.
In the end of the Bootblock you can read:
"GENESTEALER VIRUS!!! by someone..."
Removal : Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III with Xvs.library installed
Test made by : Safe Hex International
Ascii of Genestealer virus:
