== Computer Virus Catalog 1.2: REVENGE OF THE LAMER EXTERMINATOR Virus
                                             (10-February-1991)=======
Entry...............: REVENGE OF THE LAMER EXTERMINATOR Virus
Alias(es)...........: ---
Virus Strain........: LAMER link virus strain
Virus detected when.: ---
              where.: Australia
Classification......: link virus (directory type), resident
Length of Virus.....: 1. length on storage medium: 4448 byte
                      2. length in RAM           : 4412 byte
--------------------- Preconditions ----------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: 1.2/33.166, 1.2/33.180, 1.3/34.5
Computer model(s)...: AMIGA 500, AMIGA 1000, AMIGA 2000A, AMIGA 2000B
--------------------- Attributes -------------------------------------
Easy Identification.: typical text: ---
                      identification by the following entry (invisible
                         in ASCII) in startup-sequence as first entry:
                         "$A0,$A0,$A0,$A0,$A0,$00" (hex);
                      identification by using a disk manager: existing
                         file entry in the root directory "no name"
                         (invisible) with length=4448 byte;
                      identification by an alert message (3 pages)
                         after destroying a disk:
  "Page 1
                                  RED ALERT

             It has come to my attention that the person using this
                            computer is a LAMER. (*)
                  We the people, who are responsible for the
                  "Revenge Of The LAMER EXTERMINATOR" Virus,
              believe that only intelligent folk are fit to use
                          the AMIGA Personal Computer
             Since you were apparently not smart enough to prevent
             infection of your computer and software by this virus,
                       (You should have used a condom),
               we must assume that you are a LAMER (a.k.a LOSER)
               and therefore we had no alternative but to erase
              your floppy disk(s), in order to get your attention.

                           - Press Any Mousebutton -

   Page 2
                We are eagerly looking forward to the First Amiga
                magazine that explains the inner workings of this
                     brilliant (at least we think so) virus.
                 However, we are not very confident, since the
               three versions of the original "LAMER EXTERMINATOR"
                 Virus have never really been properly analysed
                             in any Amiga magazine

              We have made this virus a little bit more aggressive
              so that more people will recognize it and hopefully
              will learn something so as to overcome the dreadful
                             disease of LAMERism

                  By the way, the A in LAMER is pronounced
                  like the A in DAY. (LAMER people do not
                  know proper English in our experience )

                           - Press any Mousebutton -

   Page 3
                                   Signed:
                Foundation for the Exterminator of LAMERS. (**)

               (*) You can recognize a LAMER or LOSER as someone
               who can only use the Ctrl-Amiga-Amiga keys on his
                Amiga, and might even know how to load X-Copy...

              (**) Due to the primitive and violent nature of some
               LAMERS, we have decided against revealing our real
                    identities, so as to prevent unnecessary
                      visits to the hospital on our part !

                      Coming soon to a theatre near you:
                *** The LAMER Exterminator - A New Beginning ***


               - Press any Mousebutton To Continue Being a LAMER -"
                      (end of 3 pages text)
Type of infection...: self-identification method: virus searches for
                         following entry in startup-sequence:
                         "$A0,$A0,$A0,$A0,$A0,$00"(invisible in ASCII)
                      system infection: RAM resident, reset resident
Infection Trigger...: using unprotected disk-like devices
Storage media affected: all disk-like devices
Interrupts hooked...: vertical blank interrupt (VBI)
Damage..............: permanent damage: formatting disk-like devices;
                      transient damage: alert message after destroying
                         a disk (see above)
Damage Trigger......: permanent damage: 6 resets after infection or
                         8 minutes and 11.52 seconds (via VBI);
                      transient damage: formatting device after 6
                         infections
Particularities.....: other resident programs using system resident
                         list (KickTagPointer, KickMemPointer) are
                         not shutdown, because virus installs itself
                         correctly to the system's resident list;
                         name of resident task is "clist.library";
                         trying to format a disk after 6 infections
                         with a protected device causes virus to
                         force a reboot;
                      virus patches the following system entries:
                         KickSumData (virus inserts itself to the
                         system's resident list when deleted by
                         managing this routine which is used to
                         correct checksum over resident list);
                         AvailMem (free memory seems to be ok when
                         asked for because the virus handles this
                         routine);
                         OpenWindow (every file read is misused to
                         check whether startup-sequence of requested
                         device is already changed by virus or not;
                         if not, virus is copied to disk and startup-
                         sequence is modified; OpenWindow is used
                         also to count number of resets since virus
                         infection;
                         DOSRead (used by OpenWindow routine of
                         virus: an OpenWindow demand followed by a
                         DOS Read command causes  virus to act as
                         described above: see OpenWindow);
                         DoIO (tests whether a blockblock is affected
                         by a DoIO or not; if not, normal DoIO is
                         executed; if yes, CloseDevice routine is
                         modified, so that every CloseDevice command
                         is extended [see below]); DoIO is extended
                         to set the KickCheckSum's MSB);
                         CloseDevice (extended to clear the KickCheck-
                         Sum's MSB);
                         DoIO and CloseDevice -> virus killer's do
                         not registrate modification of KickCheckSum;
                         BeginIO (patched to format disks when other
                         commands like CMD_READ, CMD_WRITE or boot-
                         block access are demanded);
                         VBI routine (misused to count VBIs, 6000
                         passes =8 minutes and 11.52 seconds)
Similarities........: ---
--------------------- Agents -----------------------------------------
Countermeasures.....: Names of tested products of Category 1-6:
                      Category 1: .2 Monitoring System Vectors:
                                     CHECKVECTORS 2.3, VT 1.94
                                  .3 Monitoring System Areas:
                                     CHECKVECTORS 2.3, GUARDIAN 1.2,
                                     VIRUS-DETEKTOR 1.1, VT 1.94
                      Category 2: Alteration Detection: ---
                      Category 3: Eradication: CHECKVECTORS 2.3,
                                     BGS9-PROTECTOR,VIRUS-DETEKTOR 1.1
                      Category 4: Vaccine: BGS9-PROTECTOR
                      Category 5: Hardware Methods: ---
                      Category 6: Cryptographic Methods: ---
Countermeasures successful: CHECKVECTORS 2.3, VT 1.94
Standard means......: CHECKVECTORS 2.3 or VT 1.94 with deletion of
                      "no name" file entry (see above) with a disk
                      manager and correction of startup-sequence
--------------------- Acknowledgement --------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Alfred Manthey Rojas, Brian Logan (Australia)
Documentation by....: Alfred Manthey Rojas
Date................: 10-February-1991
Information Source..: ---
==================== End of REVENGE OF THE LAMER EXTERMINATOR Virus ==

[Go back]