Warshaw Avenger Virus - Amiga Virus Encyclopedia

VIRUS HELP TEAM
 



------------------------
Amiga Virus Encyclopedia
Warshaw Avenger Virus
------------------------


=== Computer Virus Catalog 1.2: Warshaw Avenger Virus (31-July-1993) ===
Entry...............: Warshaw Avenger Virus
Alias(es)...........: Warshaw! Virus
Virus Strain........: Lamer Virus Strain
Virus detected when.: ---
              where.: ---
Classification......: System Virus (BootBlock), memory resident
Length of Virus.....: 1.Length on storage medium: 1024 bytes
                      2.Length in RAM:            1024 bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: 1.2, 1.3, 2.04, 3.0
Computer model(s)...: All Amigas (problems with timing!)
--------------------- Attributes ---------------------------------------
Easy Identification.: Text teadable in Bootblock and Ram:
                         "Warshaw!", "Warshaw Avenger presents!!!"
Type of infection...: Self-Identification methods: searches for $ABCD
                         in Bootblock (similar to some Lamer viruses)
                      System infection: RAM-Resident (Adress=SysStack-
                         Lower+RND-Value), Reset-Resident (KickTag),
                         Bootblock
                      Hooked library/Device calls:
                         SumKickData (exec) - To bypass some antivirus
                         BeginIo     (Trackdisk) - infection / damage
Infection Trigger...: Any disk access
Storage media affected: Floppy disks only
Interrupts hooked...: ---
Damage..............: Permanent Damage: overwriting bootblock,
                         overwriting random sectors with "Warshaw!"
Damage Trigger......: Permanent Damage: Random (Rasterbeam)
Particularities.....: ---
Similarities........: Lamer Virus Strain
Stealth.............: Virus attempts to bypass antivirus-products by
                         producing a "clean" bootblock.
--------------------- Agents -------------------------------------------
Countermeasures.....: Names of tested products of Category 1-6:
                      Category 1: .1 -
                                  .2 Xooper, AVM (internal)
                                  .3 VT2.54,AVM (internal)
                      Category 2: VT2.54, BootX, VirusZ, AVM
                      Category 3: VT2.54, AVM (int.)
                      Category 4: -
                      Category 5: -
                      Category 6: -
Countermeasures successful: VT2.54,Xooper,BootX,VirusZ,AVM
Standard means......: VT2.54
--------------------- Acknowledgement ----------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Soenke Freitag
Documentation by....: Soenke Freitag
Date................: 31-July-1993
Information Source..: Reverse analysis of virus code/H.Schneegold, SHI
===================== End of Warshaw Avenger Virus ===================

Antivirus removal...: Kickstart 1.2 & 1.3 : VT-Schutz v3.17
                      Kickstart all others: VirusZ III with Xvs.library installed


Ascii of Warshaw Avenger virus:
Virum Help Team
Denmark & Canada
Copyright © All rights reserved
www.vht.dk