------------------------
Amiga Virus Encyclopedia
Starlight Bomb Virus
------------------------
======= Computer Virus Catalog 1.2: STARLIGHT Bomb (31-July-1993) ======
Entry...............: Starlight Bomb
Alias(es)...........: Commodore Virus
Virus Strain........: ---
Virus detected when.: ---
where.: ---
Classification......: Timebomb, non-resident
Length of Virus.....: 1.Length on storage medium: 1752 byte
2.Length in RAM : 1752 byte
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-OS
Version/Release.....: 1.2/all, 1.3/all, 2.0/all, 3.0/all
Computer model(s)...: All AMIGA models
--------------------- Attributes ---------------------------------------
Easy Identification.: Typical text: "You have found the Routine !
This is the new Commodore-Virus !
BY STARLIGHT ENTERPRISES 1992"
visible at the end of the file.
Type of infection...: None (damage-only)
Infection Trigger...: None
Storage media affected: All disk-like media
Interrupts hooked...: None
Damage..............: Transient/Permanent damage: depending on trigger
condition, one of two damages are observed:
1) Bomb deletes file "s/startup-sequence" and
displays (via DisplayAlert) German text:
"Ihr Computer ist ueberhitzt !!!
Wenn es nach dem Reset ein absturz gibt
SCHALTEN IHN SIE BITTE AUS
Commodore 1987"
(in English: "Your computer is overheated!!!
If after a reset a crash happens
PLEASE SWITCH OFF Commodore 1987")
and system will crash thereafter.
2) Bomb deletes file "s/startup-sequence",
creates a directory named "commodore war
hier !!" (="Commodore was here!!"),
opens CON-window named "REQUEST" to output
text: "KEIN VIRUS IN DRIVE DF0:
GEFUNDEN !! Commodore 1987"
(="NO VIRUS IN DRIVE DF0:
FOUND !!Commodore 1987"),
waits for pressing left mousebutton
and crashes thereafter.
Damage Trigger......: a) Second execution of program
b) Third execution of program
Particularities.....: 1) Upon executing the 2nd damage routine, program
requests to disable write protection. While
executing the 1st damage routine, an enabled
write protection will end the program.
2) Program opens and closes used libraries many
times and uses different versions of the
same name string; the string "dos.library"
appears three times in the file.
3) The program seems to be patched together from
at least three different programs.
4) CoolCapture vector is set to text string:
"COMMODORE AMIGA !!!"
5) Address $66666 is used as a counter without
allocating it.
6) Useless stuff is written to $C002A4 (located
in RangerRAM).
Similarities........: ---
--------------------- Agents -------------------------------------------
Countermeasures.....: VT 2.54, VirusZ 3.06, VirusChecker 6.28
Countermeasures successful: VT 2.54, VirusZ 3.06, VirusChecker 6.28
Standard means......: VT 2.54
--------------------- Acknowledgement ----------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Karim Senoucci
Documentation by....: Karim Senoucci
Date................: 31-July-1993
Information Source..: Virus dissassembly / SHI / Heiner Schneegold
===================== End of STARLIGHT bomb ============================
Antivirus...........: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III v1.04B or higher, and also Xvs.library v33.47 or higher
