_________ _ ______ _____ _ ____ _
____/"""./###/____)\_____________ \ ./ ____/"""./____)\/""./______)\
/"""/ //_______ /"""/""./"___/_ \ // /""./ //""____/ //_______ \
/ / //"""/" / // / //____ \_ \/ / // // ____/ //"./""""/ //
\ // / ____/ / //""""/X\@!/ / // // /"""/ // ___/
\_____/\__/___/ ""\______/_________/ /___/____/\_____/\_____/\___/::....
/____/
VIRUS HELP TEAM
-------------------
For more information, contact us at:
www.vht-dk.dk
About Saddam Virus
------------------
'Saddam' virus can only infect Amiga with Kickstart 1.2 or 1.3.
Please be very careful if you are working with the 'Saddam' file/link virus
Note that there is a boot virus with the same name don't be confused.
We still get a lot of reports about the world wide spreading of this very,
very nasty virus.
Here you have some facts about this virus:
1. The virus is a "multi-headed" file- and link virus. Always infected in
L/Dir, if there is not an L/Dir on the disk,it will make one by itself.
2. The Saddam file virus part is always to find in L/disk-validator, with
the same file length (1848) and of course.....the same name a diabolical
thing oh...boy..!
3. It can infect as the only one (we know), even if you have the new super
Fat Agnus (1MG ChipRam) and survive a reset. But remark the don't infect
if you have kickstart 2.0/3.0.
4. The Saddam link virus part is a VERY, VERY... easy spreading virus,
it will link to all files , e.g. to all executed, written or copied
files, but it does not change the file length,it only writes "IRAK" in
the start of the files. Please remark, that all these infected files
will cause Read /Write" errors! The original "Saddam" infects hard
disks too.
5. It is impossible to delete the virus or the link infected files with a
fileeditor like "Diskmaster", or from CLI
All wellknown antivirus program will find the 'Saddam' virus and make it
passive and repair the infected files very near 100%, but can't remove the
virus itself, you have to re-install the original Disk-vaildator.
----------------------------------------------------------------------------
This text is written by Orbit/Dexion:
-------------------------------------
I'm sure about most of the things in the following list, but there're still
some dark chasms of code, which I haven't been able to understand fully. The
virus was disassembled during two nights, so please forgive me if there are
any analyzing errors (it's my first virus disassembly by the way).
It looks like the virus searches for DFx:l/Disk-Validator and replaces it by
the virus. If Disk-Validator doesn't exists it will be created. If the "l"
directory doesn't exists it will also be created.
It also looks like the coder of this virus has been collecting pieces from
different viruses, since he uses Internal Dos Library, Trackdisk Device and
the hardware directly (why no DosPackets?) which is pretty much for one
person to comprehend.
The watchdog is the RasterBeam Interrupt which secures that the virus will
stay in memory. It must be destroyed before anything else is.
- ColdCapture (which activates CoolCapture)
Checks if a port named "mycon.write" is present at startup. If so,
ColdCapture is left untouched.
- RasterBeam (Vertical Blanking) Interrupt
Hooks on at offset $90 in ExecBase (struct IntVector IntVect).
Attach Trackdisk BeginIO() and ColdCapture all the time.
Trigger Virus effect under certain circumstances (most likely after
a certain time).
- Trackdisk BeginIO
As far as I can see, it can trigger an evil-looking effect if we read
from BootBlock after some time (probably to work against virus hunter
who are trying to rescue a BootBlock). Is it dangerously? you ask. I
don't know, to be honest, but it looks mean.
If we access the RootBlock it does something to the BitMap (though I
don't know what)
If we read from a DataBlock it can destroy the file (by writing "IRAK"
over the existing data).
- CoolCapture
Hooks on to InitResident() in Exec
- InitResident
Wait until "strap" is called (which is the last one in the Resident
List).
Then it install the virus (except for ColdCapture) and hooks on to
OpenWindow in Intuition.
- OpenWindow
Saves virus under certain curcumstances (not sure what).
Hooks on to Trackdisk Close().
- Trackdisk Close
Saves virus
-------------------------------------------------------------------
>>>>>>>>> Disassembly code left out by Virus Help Team <<<<<<<<<<<<
-------------------------------------------------------------------
DiskName DC.B 'DF1:',$00
DirName DC.B 'DF1:l',$00
ValidatorName DC.B 'DF1:l/Disk-Validator',$00
StrapName DC.B 'strap',$00
PortName DC.B 'mycon.write',$00
IntName DC.B 'intuition.library',$00
TrackName DC.B 'trackdisk.device',$00
VirusName DC.B $01,$08,$20,'SADDAM VIRUS',$00,$00
(End of text by Orbit/Dexion)
----------------------------------------------------------------------------
There are many different Saddam virus types, here is what has been found:
Saddam 1
Saddam 2
Saddam 3
Saddam 4
Saddam 5
Saddam 6
Saddam 7
Saddam 4711 Snoopdos
Saddam Affe
Saddam Animal
Saddam Diskval 1234
Saddam DiVa
Saddam Gral
Saddam Hardex
Saddam Irak
Saddam Iran
Saddam Kick
Saddam Laurin
Saddam Loom
Saddam Nato
Saddam Parfum
Saddam ][
And even one bootblock virus
Test of Saddan virus from the Virus Test Center in Hamburg:
===== Computer Virus Catalog 1.2: SADDAM file Virus (31-July-1993) =====
Entry...............: SADDAM_file Virus
Alias(es)...........: ---
Virus Strain........: SADDAM Virus Strain
Virus detected when.: ---
where.: ---
Classification......: File (!) variant of SADDAM virus, memory resident
Length of Virus.....: 1.Length on storage medium: 1848 byte
2.Length in RAM : 1936 byte
--------------------- Preconditions ------------------------------------
Operating System(s).: AMIGA-DOS
Version/Release.....: 1.2/all, 1.3/all
Computer model(s)...: All AMIGA models
--------------------- Attributes ---------------------------------------
Easy Identification.: A req.library is found with 1848 Bytes length.
Type of infection...: Self-identification method: virus searches for an
encryption-byte in req.library on disk that
its with its own.
System infection: virus replaces library called
"req.library" in libs:
Directory on inserted diskettes contain following
system routines/vectors (same as SADDAM virus):
System routines: - BeginIO(trackdisk.device)
- Close(trackdisk.device)
- InitResident(exec.library)
- OpenWindow(intuition.library)
System vectors: - ColdCapture(execbase)
- CoolCapture(execbase)
- KickTagptr(resident-struct.)
Infection Trigger...: 1) Opening req.library by exec function calls
2) OpenLibrary or OldOpenLibrary.
Storage media affected: Any floppy disk (every trackdisk.device)
Interrupts hooked...: Vertikal Blank interrupt works like a watchdog,
which guarantees that virus will stay in memory
(same as SADDAM virus).
Damage..............: Permanent damage:
1. If no req.library program exists on diskette
or no L: directory, both are built,replacing
req.library on disk.
2. Virus destroys a block by writing "LOOM"
over existing data.
3. Virus makes Bitmap NOT VALID, so running
Disk-Validator next time will infect System
(same as SADDAM).
4. Virus starts diskhead stepping in all floppy
drives and writing on disk (if writeable)
which will result in trackdisk errors
(same as SADDAM).
Transient damage: Mouse pointer will disappear,
and an Alert will be displayed with text:
"LOOOOM VIRUS". After pressing mouse
button, cold reset.
Damage Trigger......: Permanent damage:
1) insertion of a diskette
2) reading a Datablock
3) accessing rootblock
Transient damage: reading bootblock after a
certain time.
Particularities.....: 1) Virus uses direct Dos.Library Jumps.
2) Virus enrypts itself upon every infection with
another pseudo random number.
3) Virus installs a message port which is called
"mycon.write".
Similarities........: Similar to SADDAM LOOM Virus but as file infector;
other SADDAM variants are boot infectors.
--------------------- Agents -------------------------------------------
Countermeasures.....: VirusZ 3.06, VT 2.54, VirusChecker 6.28
Countermeasures successful: VirusZ 3.06, VT 2.54, VirusChecker 6.28
Standard means......: VT 2.54
--------------------- Acknowledgement ----------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Jens Vogler
Documentation by....: Jens Vogler
Date................: 31-July-1993
Information Source..: Reverse analysis of virus code
===================== End of SADDAM file Virus =========================
More information:
A Disk-Validator-Virus is a special virus-type on the Amiga. To understand how Disk-Validator-Viruses work,
you have first to understand what a Disk-Validator does: The Disk-Validator is a 1848 byte long executable
file which has been developed by Commodore itself. It is located in a directory called L on a disk, or let's
say expected by the AmigaOS in a directory called L, and has the filename Disk-Validator (surprise :-)).
If you enter a disk which has been invalidated1 the AmigaOS will automatically look for the Disk-Validator
on this disk and loads and executes it automatically if found. Then the program will correct the Rooblock so
the disk is in a valid state afterwards.
The Disk-Validator is not mandatory, this means that if a disk doesn't have this file it just won't be loaded
and the disk stays invalid (a requester will tell you that the disk is in an invalid state and you need to correct it):
To cut a long story short:
* If a disk is in an invalid state the AmigaOS will look for a small program called L:Disk-Validator
* If not found the AmigaDOS will pop-up a requester telling you that something is wrong with the disk
* If found the program will be loaded an executed. Then the program will try to solve the problem on the just inserted disk.
Disk-Validator-Viruses take advantage of the AmigaOS automatism which loads and executes this file by making the disk
deliberately invalid2 and writing its virus file as L:Disk-Validator on this disk. Next time you enter it the AmigaOS checks
if it is invalid. It is and therefore the AmigaOS loads and executes the program Disk-Validator automatically but this time
it is the virus itself!
The brilliant3 idea behind that is that the virus becomes active just by inserting an infected disk. No need to start an
infected file or booting with an infect disks - even better: the AmigaOS itself becomes active and handles the execution
automatically.
The good news is that Disk-Validator-Viruses are only working on Amigas until Kickstart 1.3 because in later Kickstart
revisions (2.0, 3.0, 3.1 etc..) Commodore integrated the Disk-Validator in the ROM, so there is no need to load the
Disk-Validator as a seperate applicaton anymore. Even if there is a Disk-Validator on disk, it simply will be ignored.
