Glasnost Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM
 



     ------------------------
     Amiga Virus Encyclopedia
     Glasnost Virus
     ------------------------

   
     Name         : Glasnost

     Aliases      : No Aliases

     Clones       : Glasnost-Tai13 & Glasnost-Flashback

     Type         : Bootblock
     
     Size         : 2048 bytes

     Symptoms     : No Symptoms

     Discovered   : 23 june 1992

     Way to infect: Boot infection

     Rating       : Dangerous

     Kickstarts   : 1.2
                    1.3
                    2.0

     Damage       : Overwrites boot + block 2 & 3

     Comments     : If  you  are booting with a Glasnost-infected disk the
                    virus  copies  itself  to $7F000 and changes the KICK-
                    Vectors  to stay resident. On the next reset the virus
                    patches the DoIO()-Vector to infect other disks.

                    Now imagine you are inserting an unprotected disk with
                    e.g.  the  X-Copy  Bootblock.  Now, the virus does the
                    following:

                    1) Check for Write-Protection

                    2) Not protected: loads the bootblock form the current
                       disk (X-Copy-Boot).

                    3) Saves  44  bytes  from  the  original-bb in the own
                       viruscode  and  insert in this place a virus-loader
                       routine.

                    4) The virus saves 2048 bytes. (Virus+OrgBB)

                    Block  2,3  are now DAMAGED !! NO salvage possible. If
                    you  are now booting with the infected disk the virus-
                    loader  routine copies the virus from the block 2,3 in
                    $7F000  and  jumpes at $7F000.  Then the virus inserts
                    the  original code of the BB and executes it.

                    Additionally  the  virus  installs  a new patch in the
                    ZERO-PAGE  ($6C)  and  will  damages  a block on every
                    infection:

                    First,  the  virus caclulates a block with the $DFF006
                    register.   In   this  block  the  virus  inserts  the
                    following longwords from $100:

                    $11111111; $22222222; $44444444; $88888888


                    The  ZERO-PAGE (see above) routine does the following:

                    1) Checks  if  a value  reaches 45000 if this was true
                       the virus blockades the system.

                    2) If  the  value  becomes  60000 the virus shows some
                       colors on the screen and make an endless loop. (You
                       need a reset to escape from this routine!!)

                    In block 3 you can read:

                    "Glasnost VIRUS by Gorba!! First release"

     Removal      : Kickstart 1.2 & 1.3 : VT-Schutz v3.17
                    Kickstart all others: VirusZ III with Xvs.library installed

     Test made by : Safe Hex International
     
     
     Ascii of Glasnost virus (First 1024 bytes):
     
     
     Ascii of Glastnost virus (Full 2048 bytes)
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk