------------------------
Amiga Virus Encyclopedia
Mallander v1.0 Virus
------------------------
Name : Mallander v1.0
Aliases : Derk
Clones : No Clones
Type : Bootblock
Size : 2048 bytes
Symptoms : No Symptoms
Discovered : 29 march 1992
Way to infect: Boot infection
Rating : Dangerous
Kickstarts : 1.2
1.3
2.0
Damage : Overwrites boot + block 2,3 !
Removal : Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III v1.04ß or higher, and also Xvs.library v33.47 or higher
Comments : The Mallander-Virus works like the Digital Dream
Virus: It saves the Original-Bootblock in block
2,3 to execute it even after infection. If you are
booting with an infected disk the virus does the
following:
1) Checks for memory from address $7F800 if you
have not free memory there, the virus gives you
a RESET.
2) Copies itself to address $7F800 and loads the
original bootblock to $7FC00 and executes it.
3) After th e execution of the Org.BB the virus
changes the KICK-Vectors to stay resident in
memory.
After the next reset the virus patches the DoIO()
Vector for infection. Imagine you are booting with
a clean, uninfected and unprotected disk:
1) The virus loads the original bootblock to $7FC00
and checks for the word "DERK" in the bootblock.
2) The virus calculates the new checksum and saves
2048 bytes. -> Block 2,3 = UNREPAIRABLE DAMAGED
By the way: If the Mallander virus is active in
memory and you show the bootblock of an infected
disk with e.g. bootblock and NOT the virusboot.
->>> KILL THE VIRUS FIRST IN MEMORY !!!
If AMIGA-DOS accesses a block with the help of
DoIO() the virus decreases the chip-memory by
16348 bytes, this will be done as long as there
isn`t any chip memory anymore. Then the virus
gives out an alert:
J.D. MALLANDER VIRUS V. 1.0
I need lots of money - buy my cool pd serie action
power
This text is crypted, you CAN`T read it in the BB.
Test made by : Safe Hex International
Screenshot of Mallander virus:
Ascii of Mallander virus (Decoded):
Ascii of Mallander virus (Decoded):
