The "UHR" Bootblock virus:
        --------------------------

        This virus does not work with Kickstart 2.04 and higher.It checks
        the  highest  byte  in  the  $6c vector for $fc.This  is  only  a
        possible value for Kickstart 1.x .If  the  value was not  found,a
        normal bootblock will be executed.

        The virus is crypted on disc with a simple "EOR" loop.It  patches
        the DOIO,the LEVEL3Interrupt and the Coolcapture vectors.

        The "new" thing  in this virus is,that  it  copies  itself  to  a
        special adress,which will be calculated with the following rout.:






                        LEA        $0007F800.L,A1
                        TST.L        $004E(A6)
                        BEQ.B        Abs_Copy
                        MOVEA.L        $004E(A6),A1
                        LEA        -$0800(A1),A1
        Abs_Copy        MOVE.L        A1,-(A7)
                        MOVE.W        #$0398,D0
        Copy_Loop        MOVE.B        (A0)+,(A1)+
                        DBRA        D0,Copy_Loop

        This means that no adress exists,where this virus can be always
        found.The patched DOIO vector does not ask for  the  TRACKDISK-
        device.

        The following adresses will be changed in the next parts of the
        virus:

                                $00BFE601.L
                                $00BFE701.L
                                $00D80002.L
                                $00BFEE01.L

        The $d80002.L register  is (I heard it only) an  old  register
        for the internal clock.The bootblock will be crypted everytime
        new (depending on one special register).



                                        Detection tested on 14.6.1993.
        Test by Markus Schmall.....

[Go back]