Pestilence Bootblockvirus 1.15:
    -------------------------------

    Kickstart 1.x : not working
    Kickstart 3.1 and MC68040 : working

    Patched vectors:

    Exec-Disable
    TD`s BeginIO
    Exec-Coldcapture
    Exec-KicksumData       (not repairable)
    Intuition-DisplayAlert (not repairable)

    First appearance (as far as I know): Heilbronn/Germany

    This is a new bootblockvirus with some nasty inner workings:

    The last both patched vectors cannot be repaired, because the
    virus does not store the original value. Sorry guys ! All other
    patched vectors can be corrected by VirusWorkshop.

    The virus checks before patching, if it`s already installed
    or not. The BeginIO routine only catches TD-READ and TD-WRITE
    commands. The routine checks, if the loaded bootblock is the
    virus. If yes, the bootblockcode will be manipulated (probably
    to hide the code for viruskillers!!!!)

    Under special circumstances (compare longword must be "DEAD"),
    the blocks 2-3 will be filled with some garbage. The information
    on this blocks cannot be recoverd...

    If a pointer reaches a special value, the whole disc will be
    formatted using memorygarbage. This routine is buggy, because
    the memoryblock, which should be written, is out of REAL
    memory and the system travels to india.

    It crypts all read blocks (T-DATA) with an eor-loop. If the
    virus is active in memory, all crypted blocks will be decrypted
    online. If you remove the virus from memory, several checksum-
    errors will appear on your screen. VirusWorkshop 4.6 and higher
    are able to repair the crypted blocks, because there is no magic
    in this cryptroutine.

    Such routines (online-(de)crypting) were first seen on the AMIGA
    in the "Saddam" diskvalidator viruses and then in "The Curse of
    little Sven" bootblockvirus.

    The first longword of a crypted block looks like this:$AFFE0008.

    The whole virus is crypted with a simple eor-loop and looks like
    the work from a quite sober`n clean programmer. At the end of
    the virus you can read (after decrypting it):

    'trackdisk.device'
    'intuition.library'
    'PESTILENCE v1.15 (c) 14/05/94!'



    Test by Markus Schmall         Detection and repair tested 11.12.1994.

[Go back]