Pestilence Bootblockvirus 1.15 - Amiga Virus Encyclopedia

VIRUS HELP TEAM
 



    ------------------------------
    Amiga Virus Encyclopedia
    Pestilence Bootblockvirus 1.15
    ------------------------------

        
    Pestilence Bootblockvirus 1.15:
    -------------------------------

    Kickstart 1.x : not working
    Kickstart 3.1 and MC68040 : working

    Patched vectors:

    Exec-Disable
    TD`s BeginIO
    Exec-Coldcapture
    Exec-KicksumData       (not repairable)
    Intuition-DisplayAlert (not repairable)

    First appearance (as far as I know): Heilbronn/Germany

    This is a new bootblockvirus with some nasty inner workings:

    The last both  patched  vectors c annot be repaired, because the
    virus does not store the original value.  Sorry guys!  All other
    patched vectors can be corrected by VirusWorkshop.

    The virus checks before patching,  if it`s  already installed or
    not.  The  BeginIO  routine  only  catches  TD-READ and TD-WRITE
    commands. The  routine  checks, if the  loaded  bootblock is the
    virus.  If yes, the  bootblockcode will be manipulated (probably
    to hide the code for viruskillers!!!!)

    Under special  circumstances  (compare longword must be "DEAD"),
    the blocks 2-3 will be filled with some garbage. The information
    on this blocks cannot be recoverd...

    If a pointer  reaches  a special value,  the whole  disc will be
    formatted  using  memorygarbage.  This routine is buggy, because
    the memoryblock, which  should be written, is out of REAL memory
    and the system travels to india.

    It crypts  all read  blocks (T-DATA)  with an  eor-loop.  If the
    virus is active in memory, all  crypted blocks will be decrypted
    online.  If you remove the  virus from memory, several checksum-
    errors will appear on your screen.  VirusWorkshop 4.6 and higher
    are able to repair the crypted blocks, because there is no magic
    in this cryptroutine.

    Such routines (online-(de)crypting) were first seen on the AMIGA
    in the "Saddam" diskvalidator  viruses and then in "The Curse of
    little Sven" bootblockvirus.

    The first longword of a crypted block looks like this:$AFFE0008

    The whole virus is crypted with a simple eor-loop and looks like
    the  work from  a quite  sober`n clean programmer. At the end of
    the virus you can read (after decrypting it):

    'trackdisk.device'
    'intuition.library'
    'PESTILENCE v1.15 (c) 14/05/94!'


                              Detection and repair tested 11.12.1994
    Test by Markus Schmall         


    Ascii of Pestilence Bootblock virus (Decoded):
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk