Mallander virus - Amiga Virus Encyclopedia


     Amiga Virus Encyclopedia
     Mallander v1.0 Virus

     Name         : Mallander v1.0

     Aliases      : Derk

     Clones       : No Clones
     Type         : Bootblock
     Size         : 2048 bytes

     Symptoms     : No Symptoms

     Discovered   : 29 march 1992

     Way to infect: Boot infection

     Rating       : Dangerous

     Kickstarts   : 1.2

     Damage       : Overwrites boot + block 2,3 !

     Removal      : Kickstart 1.2 & 1.3 : VT-Schutz v3.17
                    Kickstart all others: VirusZ III v1.04ß or higher, and also Xvs.library v33.47 or higher

     Comments     : The Mallander-Virus  works like  the Digital Dream
                    Virus:  It saves  the  Original-Bootblock in block
                    2,3 to execute it even after infection. If you are
                    booting  with an infected  disk the virus does the
                   1) Checks for  memory  from  address  $7F800 if you
                      have not  free memory there, the virus gives you
                      a RESET.

                   2) Copies  itself  to address  $7F800 and loads the
                      original bootblock to $7FC00 and executes it.

                   3) After  th e execution  of  the Org.BB  the virus
                      changes  the  KICK-Vectors  to  stay resident in 

                   After the  next  reset the virus patches the DoIO()
                   Vector for  infection. Imagine you are booting with
                   a clean, uninfected and unprotected disk:

                   1) The virus loads the original bootblock to $7FC00
                      and checks for the word "DERK" in the bootblock.

                   2) The virus  calculates the new checksum and saves
                      2048 bytes. ->  Block 2,3 = UNREPAIRABLE DAMAGED

                    By the way:  If the Mallander  virus is  active in
                    memory and you show the  bootblock  of an infected
                    disk  with  e.g. bootblock and NOT the virusboot.
                    ->>> KILL THE VIRUS FIRST IN MEMORY !!!

                    If  AMIGA-DOS  accesses  a block  with the help of
                    DoIO()  the  virus  decreases  the  chip-memory by
                    16348 bytes, this  will  be done  as long as there
                    isn`t  any  chip  memory  anymore.  Then the virus
                    gives out an alert:

                              J.D. MALLANDER VIRUS V. 1.0
                    I need lots of money - buy my cool pd serie action
                    This text is crypted, you CAN`T read it in the BB.

     Test made by : Safe Hex International
     Screenshot of Mallander virus:

     Ascii of Mallander virus (Decoded):

Virum Help Team
Denmark & Canada
Copyright © All rights reserved