------------------------
Amiga Virus Encyclopedia
UHR Virus
------------------------
Name : Uhr
Aliases : Unknown 1
Type : Bootblock
Size : 1024 bytes
Symptoms : No Sypmtoms
Discovered : 14 june 1993
Origin : -
Way to infect: Boot infection
Rating : Middel
Kickstarts : 1.2
1.3
Damage : Overwrites Bootblock
Symptomatic : -
Information : This virus does not work with Kickstart 2.04 and higher.It checks
the highest byte in the $6c vector for $fc.This is only a
possible value for Kickstart 1.x .If the value was not found,a
normal bootblock will be executed.
The virus is crypted on disc with a simple "EOR" loop.It patches
the DOIO,the LEVEL3Interrupt and the Coolcapture vectors.
The "new" thing in this virus is,that it copies itself to a
special adress,which will be calculated with the following rout.:
LEA $0007F800.L,A1
TST.L $004E(A6)
BEQ.B Abs_Copy
MOVEA.L $004E(A6),A1
LEA -$0800(A1),A1
Abs_Copy MOVE.L A1,-(A7)
MOVE.W #$0398,D0
Copy_Loop MOVE.B (A0)+,(A1)+
DBRA D0,Copy_Loop
This means that no adress exists,where this virus can be always
found.The patched DOIO vector does not ask for the TRACKDISK-
device.
The following adresses will be changed in the next parts of the
virus:
$00BFE601.L
$00BFE701.L
$00D80002.L
$00BFEE01.L
The $d80002.L register is (I heard it only) an old register
for the internal clock.The bootblock will be crypted everytime
new (depending on one special register).
Comments : -
Text in virus: -
Removal : Kickstart 1.2 & 1.3 : VT-Schutz v3.17
Kickstart all others: VirusZ III, and also Xvs.library must be installed
Test made by : Markus Schmall & Jan Andersen, Virus Help Team
Ascii of Uhr virus:
