arnoutgr@neabbs.UUCP (ARNOUT GROOTVELD) (09/08/88)
frambo::schabacker (Tim, posting for <schabacker@frambo.dec.com>) wrote in some message about the ByteWarrior virus the following: [ deleted ] >The virus is a related form of the ByteBandit, that is it makes >itself resident via a KickTag entry and patches an internal function. >BUT THIS VIRUS ATTACHES ITSELF IN FRONT OF THE ExecBase DoIO function >and though spreads itself EVERYTIME an uninfected, write-enabled disk >is inserted, written to, etc.! [ deleted ] >As already mentioned on the net, the virus can be identified by the >string DASA0.2 (where "." is an unprintable character) at offset >$C4 (196 decimal) in block 0. [ deleted ] Well, at least for the version I've got the first statement isn't true. I've disassembled this bootblock, too and I've found out the following: - the BootBlock patches DoIO() - the "new" DoIO() checks ColdCapture and CoolCapture against NULL and if both are NULL it continues with the "original" DoIO(). (That is, if you are using 1.2 :-) ) - If one of them isn't NULL, both will be set to NULL, the LED will go on and off a few times and you hear a few beeps. Then: Check if IO_COMMAND is CMD_WRITE or CMD_READ. If no, continue with "original" DoIO(). If yes, check if IO_LENGTH is $200 or $400. If no, continue etc... If yes, check if IO_OFFSET is 0 (=BootBlock). If no, continue etc. If yes, check if IO_DATA is 0. If yes, continue etc. (I don't understand this one.) If no, check for WriteProtect. If yes, continue ... If no, write ByteWarrior BootBlock and after that, execute the original IO-request. So, it "only" spreads itself when block 0 or blocks 0/1 are read/written. (And the disk isn't writeprotected ...) BUT: the bootblock that I've dissected might differ from the bootblock Tim (posting for etc...) spoke off, because with "mine" the text DASA0.2 was not at $C4 but at $C0!!! REQUEST: I'd like to receive all "suspect" bootblocks because I want to disassemble them. So far, I've disassembled SCA, ByteBandit, SystemZ and this one. Thanks in advance. Arnout Grootveld UUCP : ...!mcvax!telemail!neabbs!arnoutgr FidoNet: 2:281/600.2 Although I don't work for anyone, I disclaim everything.
Benton_J_Elkins@cup.portal.com (09/11/88)
I just had my first encounter with a virus in 33 years of programming. I had done some downloads from Portal, Just Computing and another bbs that I can't remember right now. After I had de-arced some of the files I decided to format a disk and noticed that only sectors 0 and 1 would format with 78 left. I checked with HT Elec- tronics who had not heard of this phenomenon. To be safe I dl'ed VirusX ver- sion 2.0 and installed it. VirusX found the Byte Bandit virus in Ram and on all three of my disks in my drives. I then checked the other disks and found several more occurences of Byte Bandit. I am very grateful to Steve Tibbet for his VirusX program and intend to con- tact him to tell him so. I wonder if anyone else noticed my symptom of a failure to Format connected with this virus