SCSI File Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM
 



     ------------------------
     Amiga Virus Encyclopedia
     SCSI File Virus
     ------------------------
     
     
     Virus Help Team are looking for this virus, please send it to us 
     ----------------------------------------------------------------
     
     
     - scsi virus file length unpacked: 1560 bytes
     
         pure destruction program
         NO bent vectors
         KS3.0: yes
         No propagation routine
         File excerpt:
           2c780004 4eaefe3e 4e75733a 24e724a1, x..N ..> Nus: $. $.
                                 ^^^^^^^^^^^^^
           00000000 00000000 00000000 00000000 ................
           00000000 00000000 00000000 00000000 ................
           00000000 00000000 00000000 00000000 ................
           00000000 00000000 00000000 00000000 ................
           00000000 00000000 00000000 00000000 ................
           00000000 646f732e 6c696272 61727900 .... dos.library.
           8b624828 91819187 1e000000 00000000 .bH (............
           ;;;;;;;; :::::::::::

           ;;;; decoded with subi.b # $ 28, d0 results in: "c:", 0
           :::: decoded with subi.b # $ 1E, d0 results in: "scsi", 0

       Procedure:
           Test whether the file name (^^^^) "s: $", E7, "$", A1.0 is available
           is. If so, virus program end
           DateStamp is called and on $ 15A0 = 27.Feb.93
           checked.
           -If the computer time is not so far,
            called the original program with LoadSeg ("c:", 0)
            and worked through a direct entry. After that
            UnloadSeg is called and the virus program terminated.
           -If the system time has reached February 27, 1993:
            The device list is searched via dosbase + $ 22.
            ONLY devices (no vol, etc.) are compared
            scsi (see above). So a test for four letters.
              i.e. everything that starts with scsi is selected.
                  also scsi3 ... etc.
              SCSI or gvpscsi etc. is NOT selected.
            Then the ROOT block is calculated and filled
            destroyed with zeros.
       
       IMPORTANT:
            Because this is a loop, ALL
            Root blocks of ALL drives and ALL partitions that
            meet the requirement, destroyed. Did I change
            disk and three partitions tried.

            VT detects the virus file and offers Rename with the original
            File in c: an. If the original file in c: not found
            VT suggests deleting the virus file alone.

       Note:
            With DiskSalv Repair all partitions could be restored
            as the root block has been rebuilt.
            So please get DiskSalv (latest version 93)
            BEFORE the accident happens. DiskSalv occupies the partition
            called wanagi-wachipi. So similar to diskdoctor
            with Lazarus earlier.

       Important 2:
            There MUST be an INSTALL program. This is so far
            not known. Please help with the search. Thank you !
              Because nobody voluntarily names an original program
              into an invisible file in c: um.


     Original test by Heiner Schneegold
     Translated from german to english by Google translate
     

     Virus Help Team are looking for this virus, please send it to us
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk