VIRUS HELP TEAM Amiga Antivirus Website www.vht-dk.dk
------------------------
Amiga Virus Encyclopedia
Telecom Virus
------------------------
Name : TeleCom
Aliases : No aliases
Clone : No clone
Type : File
Size : 756
Discovered : 17-01-93
Way to infect: File infection
Rating : Less Dangerous
Kickstarts : only 1.3 with Ranger RAM ($C00000)
Removal : Delete file.
Comments : The virus uses the CoolCapture to stay resident
in memory. It is always at the same adress in
memory ($C71000). After a reset the virus patches
the DoIO(), FindResident(), and later the Open-
Window() vectors. If you are booting with a disk
the virus does the following:
a) It checks with the help of DoIO() if the disk
is write protected. If not the virus
moves a value at memory adress. This value will
later be used from the OpenWindow-Patch to check
if the disk was write protected.
b) The virus patches the FindResident()
vector. This new patch installs some time
later a new patch in the OpenWindow()-vector.
c) This new patch infects the root-dir of the disk
while it creates the virusfile ($A0) and modifies
the startup-sequence.
The string "s/startup-sequence" in the virus is
coded with a simple EOR-loop (eor.b #$27,(a1)+).
In the decoded virus you can read "TeleCom".
Info : This virus works like the old Jeff viruses. It adds
a "$a00a"string at first position in the startup-
sequence and writes itself with the name "$a0" in
the rootdir. The file is only 756 bytes long (un-
packed).
This virus uses direct memoryadresses and expects
RANGER RAM and Kickstart 1.3.
Antivirus : Kickstart 1.2 & 1.3..... : VT-Schutz
Kickstart 2.0 and higher : VirusZ III, with the new Xvs.library installed
Test made by : Markus Schmall
