klewall1@uvicctr.UUCP (Kim Lewall) (02/03/88)
A friend of mine who doesn't have postnews access asked me to post this: I have not seen any reference to this particular virus before. ---------------------------------------------------------------------------- A new virus has shown up on the Amiga. It was written in September, 1987, by someone calling himself The Byte Bimbo (well, maybe that's not the right name; I can't remember... ;-) ) Last night (Feb 01 88) I was handed a disk and told "This is acting weird. Can you look into it?" Apparently our Amiga club had a guest speaker from Toronto who provided several disks of bootable demo programs from the AmiExpo show. While there is no proof, it is very likely that the virus originated at one of those two places as it looks like we have generation 2!!! This virus, like the SCA virus, installs itself in the boot block (both 0 and 1) but, unlike the SCA virus, is actually running in the system and will infect each and every writable disk placed into a drive. SCA only copied itself during a reboot. Furthermore, if you have an infected machine, and try to use the Install command to clean your disk, the virus will immediately re-install itself! From disassembling the virus, it appears only to shut down *all* interrupts after a certain condition is met. This can happen in mid-session, and renders your system un-bootable until power down. I have not, however, been able to figure out all of the code (I have had a copy of the virus for 7 hours) so it may do more than it first appears.... I called Commodore today and am sending down a copy of the virus for them to look at. Until they have a new VCheck to deal with this one, the only way to tell if you have any infected disks is to look at the boot block directly with DiskZap, DiskWik or some other block editor. Look at block 0. You will see "Virus by Byte Bandit in 9.87.Number of copys :" if you are infected. Let's stamp this one out before it gets anywhere! Christopher Halsall LateNight Developments Corp. Victoria, B.C. Canada. (604) 380-3032 ----------------------------------------------------------------------------
sean@ms.uky.edu (Sean Casey) (02/06/88)
In article <357@uvicctr.UUCP> klewall1@uvicctr.UUCP (Kim Lewall) writes: >A new virus has shown up on the Amiga. It was written in September, 1987, by >... >From disassembling the virus, it appears only to shut down *all* interrupts >after a certain condition is met. This can happen in mid-session, and renders >your system un-bootable until power down. I have not, however, been able to >figure out all of the code (I have had a copy of the virus for 7 hours) so it >may do more than it first appears.... I thought that C-A-A delivered a NMI to the 68000. Am I wrong? Sean -- -- Sean Casey sean@ms.uky.edu, sean@ukma.bitnet -- (the Empire guy) {rutgers,uunet,cbosgd}!ukma!sean -- University of Kentucky in Lexington Kentucky, USA -- "If something can go will, it wrong."
spencer@eris (Randal m. Spencer [RmS]) (02/08/88)
Recently on *comp.sys.amiga* klewall1@uvicctr.UUCP (Kim Lewall) wrote: ...A new virus has shown up on the Amiga. ...I called Commodore today and am sending down a copy of the virus for them to ...look at. Until they have a new VCheck to deal with this one, the only way to ...tell if you have any infected disks is to look at the boot block directly ...with DiskZap, DiskWik or some other block editor. ...Look at block 0. You will see "Virus by Byte Bandit in 9.87.Number of ...copys :" if you are infected. This is a good suggestion for all you VCheck writers out there, how about a program that when run will display the boot blocks of a disk in a hex dump format. I currently run VCheck from my startup and it would be nice to be able to have a totally reliable way to check for a boot track virus (since that is the fad now, no trojan horses this week). ...Let's stamp this one out before it gets anywhere! ...Christopher Halsall -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Randy Spencer P.O. Box 4542 Berkeley CA 94704 (415)222-7595 spencer@mica.berkeley.edu I N F I N I T Y BBS: (415)222-9416 ..ucbvax!mica!spencer s o f t w a r e AAA-WH1M -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
jim@coplex.UUCP (Jim Sewell) (02/09/88)
Word on CIS has it that there is a new SCA virus called LSD. It supposedly is an apology for the SCA and removes the SCA virus from an infected disk. What it actually does is removes the SCA, but replaces it with a more clever and harder to find virus that affects any disk any time, not just at bootup. It is said, however, to use the boot block trick which is fortunate for us. I BELIEVE vcheckx.x's can find it. To Bill Koester: Do you have any info on this rumor? --------------------------------------------------------------------------- Jim Sewell "Here we go again..."
schein@cbmvax.UUCP (Dan Schein CATS) (02/10/88)
In article <368@coplex.UUCP> jim@coplex.UUCP (Jim Sewell) writes: > >Word on CIS has it that there is a new SCA virus called LSD. It supposedly >is an apology for the SCA and removes the SCA virus from an infected disk. >What it actually does is removes the SCA, but replaces it with a more clever >and harder to find virus that affects any disk any time, not just at bootup. >It is said, however, to use the boot block trick which is fortunate for us. >I BELIEVE vcheckx.x's can find it. To Bill Koester: Do you have any info >on this rumor? >--------------------------------------------------------------------------- >Jim Sewell "Here we go again..." Bill is on assignment at our W. German headquartes. (Sounds just like on CNN - eh?) It is possible that his E-Mail or US Snail has some new virus information waiting his return. But only his postmaster knows for sure. I spoke with someone the other day about a new strain that reinfects on disk insertion vs warm starts, and as I type this message a copy of this new strain is speeding its way to our news desk. More news as it becomes available, and film at 11 - stay tuned... This is Dan Schein reporting from West Chester for the CBM news. -- Dan Schein uucp: {ihnp4|allegra|burdvax|rutgers}!cbmvax!schein Commodore AMIGA ARPANET: cbmvax!schein@uunet.uu.net 1200 Wilson Drive Bix: dschein Plink: Dan*CATS West Chester PA 19380 phone: (215) 431-9100 ext. 9542 +----------------------------------------------------------------------------+ All spelling mistakes are a result of my efforts to avoid education :-) +----------------------------------------------------------------------------+ I help Commodore by supporting the AMIGA. Commodore supports me by allowing me to form my own suggestions and comments.
koykka@utacs.UTA.FI (Sami K|ykk{) (03/03/89)
Last night I discovered a new virus on the Amiga. It all began when
my Workbench1.3 suddenly crashed while booting. When I took a look at
startup-sequence, I noticed that SetClock was the crashing program. It didn't
crash always, but very often.
I began to think if it was IRQ-virus. So I used my friend's virus-
killer and checked whole disk. In Devs-directory the killer found a file
which name was nothing but spaces. I peeked in the file and found out that
it was a program called SetPatch - renamed and copied in Devs-directory!
Next I looked at the "real" SetPatch-command in C-directory. It was
totally different program. Its length was 2608 bytes - not the length of
SetPatch. So somebody had changed the location of my command and made a new
program into its old location.
SetPatch was the first command in my Startup-Sequence and it seemed
very likely that I've been under attack by a new virus! So, the next step
was to test if it spreads. I made a copy of fresh workbench, booted with
infected disk and resetted.
After that I inserted my write-enabled fresh Workbench-disk and
waited. Screen remained white and disk drive whirred long time. After
startup-sequence had stopped, I checked Devs-directory. There it was,
the file named " "! It was small, only about 800 bytes. In that
disk, the first command in Startup-Sequence was Addbuffers. So I checked
Addbuffers-command, and it was changed! It was 2608 bytes long just like
the False Setpatch in the another disk.
I don't know how long this virus has been around and where it comes
from, but I thought that I'd better write about it in here.
------------------------------------------------------------------------------
!Sami K|ykk{, Tampere University, Finland !
!E-Mail: koykka@utacs.uta.fi !
! koykka@utacs.uucp !
! koykka%utacs.uta.fi@uunet.uu.net (in USA) !
+----------------------------------------------------------------------------+pl@kaarne.tut.fi (Pertti Lehtinen) (03/27/89)
I found a new bootblock virus yesterday. It is as follows: - lives on bootblock - inflects all disks inserted - hides itself from virusx (presumably from others too) ( monitors all bootblock accesses and returns dos boot insted of itself) ( naturally only when active ) - every inkarnation looks different ( virus is in encoded form in bootblock, every time with different encoding) ( only tiny part (decoder) in begin doesn't vary) - manifests itself as "LAMER exterminator" ( when decoded and disassembled ) - randomly corrupts disk-io causing random GURUS - doesn't work with LUCAS-board (namely with 68020. I haven't look any more specific details. I have this saved so if you need just ask. Pertti Lehtinen pl@tut.fi pl@tut.fi ! -------------------------------- ! Pertti Lehtinen ! Alone at the edge of the world ! Tampere University of Technology ! -------------------------------- ! Software Systems Laboratory
sean@ms.uky.edu (Sean Casey) (03/28/89)
Hoo boy, they've upped the ante. Looks like the Amiga is going to get
virused just like the MacIntosh. You ought to read virus-l. They've
got third generation stuff there that infects disinfecting programs.
It's turned into quite a war.
Sean
--
*** Sean Casey sean@ms.uky.edu, sean@ukma.bitnet
*** Who sometimes never learns. {backbone site|rutgers|uunet}!ukma!sean
*** U of K, Lexington Kentucky, USA ..where Christian movies are banned.
*** ``I've got no time for the old in-out; I've come to read the meter.'') Seaman) (03/29/89)
pl@kaarne.tut.fi (Pertti Lehtinen) writes: < < I found a new bootblock virus yesterday. [ description of virus deleted ] < - manifests itself as "LAMER exterminator" < ( when decoded and disassembled ) < < I have this saved so if you need just ask. < < Pertti Lehtinen < pl@tut.fi If this is the same 'LAMER Exterminator' I've read about, then VirusX version 3.2 should handle it nicely (at least that's what the readme and source file says). It also says that this is one of the *worst* of the mean spirited viruses around. -- Chris Seaman | o\ /o crs@cpsc6a.att.com <or> | || See "Attack of the Killer Smiley"! ..!ihnp4!cpsc6a!crs | \vvvvvv/ Coming Soon to a newsgroup near you! | \____/
olson@uhunix1.uhcc.Hawaii.Edu (Todd Olson) (09/28/90)
It must be my lucky year! I found a new virus (again). This
one manifests itself in a so called "new" version of unwarp, version 1.4.
The virus is integrated into the unwarp file. The virus is written
by the Centurions. It changes the KickTagPtr, and it contains some text
that I scanned from memory. The text is as follows:
__________BEGIN INCLUDED TEXT__________
>>>>>>> HI THERE A NEW AGE IN VIRUS MAKING HAS BEGUN
THANX TO US>>> THANX TO: === CENTURIONS === AND WEVE
THE PLEASURE TO INFORM YOU THAT SOME OF YOUR DISKS ARE
INFECTED BY OUR FIRST MASTERPIECE CALLED:
< THE SMILY CANCER <
HAVE FUN LOOKING FOR IT>>> AND STAY TUNED FOR OUR NEXT
PRODUCTIONS> CENTURIONS: THE FUTURE IS NEAR;
HELLO HACKERS OUT THERE!! A NEW FORCE HAS BORN IN ITALY:
--- CENTURIONS ---. OUR TEAM IS COMPOSED OF 2 GUYZ:
ME & HIM.(AHAHHA!) THE AIM OF -- CENTURIONS -- IS JUST
VIRUS MAKING.. WE HAVE LOTTA FUN DOING THIS AND WE ALSO
HOPE TO GIVE FUN TO THE KILLERS MAKERS (HI STEVE TIBBETT!)
HAW! HAW! HAW! SIGNED: ME & HIM / CENTURIONS.
_________________END OF TEXT ___________
It also looks as if it infects only floppies, and it affects the
startup-sequence, I say this because I found the following near the
above text and the KickTagPtr.
trackdisk.device
startup-sequence
virusup-sequence
A copy will again be going to SteveX.
Todd
--
olson@uhunix.uhcc.hawaii.edu | "When I was fourteen, my father was so ignorant
olson@uhccux.uhcc.hawaii.edu | I could hardly stand to be around him. When I
CS student, Adventurer | was twenty-one, I was amazed at how much the
Paraphrased from House II | old man had learned in seven years." - M. Twainjohnv@tower.actrix.co.nz (John Veldthuis) (10/03/90)
Quoted from - olson@uhunix1.uhcc.Hawaii.Edu (Todd Olson): > > It must be my lucky year! I found a new virus (again). This > one manifests itself in a so called "new" version of unwarp, version 1.4. > The virus is integrated into the unwarp file. The virus is written > by the Centurions. It changes the KickTagPtr, and it contains some text > that I scanned from memory. [text deleted] After a quick disassemble of the virus I found that it lives in the memory area of $7f000 and takes over the trackdisk BeginIO vector. It also has a Romtag to survive reboots and patches the exec SumKickData vector. It waits for reads to the bootblock of a disk, then looks for the first command in the startup-sequence. If the disk is not write protected it will add itself to the start of this file as a code hunk. It addes 3196 bytes to the program it infects. The data in the file is encrypted and after every ten copies it will change the pointer to a smily face that has text scrolling under it. To do the smily face it goes into the private stuff of the graphics.library and bombed out when I ran CED to alter a file. It does it's copying at the block level and not the file level -- *** John Veldthuis, NZAmigaUG. johnv@tower.actrix.co.nz ***