------------------------
Amiga Virus Encyclopedia
Saddam Virus
------------------------
======== Computer Virus Catalog 1.2: SADDAM Virus (31-July-1993) =======
Entry...............: SADDAM Virus
Alias(es)...........: IRAK = Saddam Hussein = Disk-Validator Virus
Virus Strain........: Saddam Virus Strain
Virus detected when.: March 1991
where.: Australia
Classification......: System virus (replacing), memory resident
Length of Virus.....: 1.Length on storage medium: 1848 bytes
2.Length in RAM : 1936 bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: 1.2/all, 1.3/all
Computer model(s)...: All AMIGA models
--------------------- Attributes ---------------------------------------
Easy Identification.: ---
Type of infection...: Self-identification method: virus searches for an
encryption-byte in Disk-Validator system program
on disk that fits with its own.
System infection: virus replaces system program
Disk-Validator in L:. Directory on disk contains
following system routines/vectors:
System routines: - BeginIO(trackdisk.device)
- Close(trackdisk.device)
- InitResident(exec.library)
- OpenWindow(intuition.library)
System vectors: - ColdCapture(execbase)
- CoolCapture(execbase)
- KickTagptr(resident-struct.)
Infection Trigger...: Restart validator starts Disk-Validator program,
when Bitmap on disk is not valid. This will not
work properly with Amiga OS Version 2.0, as
there is no Disk-Validator program use (no re-
start validator process in AmigaOS V2.0)
Storage media affected: Any floppy disk (every trackdisk.device)
Interrupts hooked...: Vertikal Blank interrupt works like a watchdog,
which guarantees that virus will stay in memory.
Damage..............: Permanent damage:
1. If no Disk-Validator program exists on disk
or no L: directory, both are built (re-
placing Disk-Validator program on disk).
2. Virus destroys a block by writing "IRAK"
over existing data.
3. Virus makes Bitmap NOT VALID, so running
Disk-Validator next time will infect System.
4. Virus starts diskhead stepping in all floppy
drives and writing on disk (if writeable)
which will result in trackdisk errors.
Transient damage: Mouse pointer will disappear,
and an Alert will be displayed with text:
"SADDAM VIRUS". After pressing mouse
button, cold reset.
Damage Trigger......: Permanent damage:
1) insertion of a diskette
2) reading a Datablock
3) accessing rootblock
Transient damage: reading bootblock after a
certain time.
Particularities.....: 1) No infection occurs when using FastFilingSystems
or running AmigaOS Version 2.0.
2) Virus uses direct Dos.Library Jumps. Encrypts
itself with pseudo random number upon infection.
3) Virus installs a message port which called
"mycon.write".
Similarities........: All numbered SADDAMs (SADDAM 4, SADDAM 5, ...)
are just differently decrypted original SADDAMs.
--------------------- Agents -------------------------------------------
Countermeasures.....: VirusZ 3.06, VT 2.54, VirusChecker 6.28
Countermeasures successful: VirusZ 3.06, VT 2.54, VirusChecker 6.28
Standard means......: VT 2.54
--------------------- Acknowledgement ----------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Oliver Meng
Documentation by....: Oliver Meng, Update by Jens Vogler
Date................: 31-July-1993
Information Source..: ---
===================== End of SADDAM Virus ==============================
Antivirus...........: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III v1.04B or higher, and also Xvs.library v33.47 or higher
Screenshot of Saddam Virus:
