Name         : Glasnost

     Aliases      : No Aliases

     Type/Size    : Boot/2048

     Clones       : No Clones

     Symptoms     : No Symptoms

     Discovered   : 23-06-92

     Way to infect: Boot infection

     Rating       : Dangerous

     Kickstarts   : 1.2/1.3/2.0

     Damage       : Overwrites boot + block 2 & 3.

     Removal      : Install boot.

     Comments     : If  you  are booting with a Glasnost-infected disk the
                    virus  copies  itself  to $7F000 and changes the KICK-
                    Vectors  to stay resident. On the next reset the virus
                    patches the DoIO()-Vector to infect other disks.


                    Now imagine you are inserting an unprotected disk with
                    e.g.  the  X-Copy  Bootblock.  Now, the virus does the
                    following:

                    1) Check for Write-Protection

                    2) Not protected: loads the bootblock form the current
                       disk (X-Copy-Boot).

                    3) Saves  44  bytes  from  the  original-bb in the own
                       viruscode  and  insert in this place a virus-loader
                       routine.

                    4) The virus saves 2048 bytes. (Virus+OrgBB)


                    Block  2,3  are now DAMAGED !! NO salvage possible. If
                    you  are now booting with the infected disk the virus-
                    loader  routine copies the virus from the block 2,3 in
                    $7F000  and  jumpes at $7F000.  Then the virus inserts
                    the  original code of the BB and executes it.


                    Additionally  the  virus  installs  a new patch in the
                    ZERO-PAGE  ($6C)  and  will  damages  a block on every
                    infection:

                    First,  the  virus caclulates a block with the $DFF006
                    register.   In   this  block  the  virus  inserts  the
                    following longwords from $100:


                    $11111111; $22222222; $44444444; $88888888



                    The  ZERO-PAGE (see above) routine does the following:

                    1) Checks  if  a value  reaches 45000 if this was true
                       the virus blockades the system.

                    2) If  the  value  becomes  60000 the virus shows some
                       colors on the screen and make an endless loop. (You
                       need a reset to escape from this routine!!)

                    In block 3 you can read:

                    "Glasnost VIRUS by Gorba!! First release"




    SHI - A.D 05-94

[Go back]