frambo::schabacker (Tim, posting for <schabacker@frambo.dec.com>) (09/06/88)
[I really hate these stupid line-eater jok Hi folks, as a public service, here's what the (dis)assembler department of the Software Brewery (Hi Heiko) found out about the already mentioned ByteWarrior virus. The virus is a related form of the ByteBandit, that is it makes itself resident via a KickTag entry and patches an internal function. BUT THIS VIRUS ATTACHES ITSELF IN FRONT OF THE ExecBase DoIO function and though spreads itself EVERYTIME an uninfected, write-enabled disk is inserted, written to, etc.! This is the most virulent beast to date. But obviously virus authors are generally even more brain-dead than the usual bunch of crackers & pirates, 'cause the idiot who did this scumware makes DIRECT jumps to certain KickStart routines... So if you use a 1.3 KS, an infected disk will happily crash every time you try to boot it... But if there is enough interest out there, we could fix it... :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) (-: (-: (-: (-: (-: (-: (-: (-: (-: (-: (-: (-: (-: (-: (-: (-: (-: (Hey, twas a joke, OK?) As already mentioned on the net, the virus can be identified by the string DASA0.2 (where "." is an unprintable character) at offset $C4 (196 decimal) in block 0. The virus claims to be a virus killer, and what can I tell you, it really kills SCA and ByteBandits in memory and VERY effectivly their respective bootblocks. 1/2 :-) Of course it gets detected and removed by AntiVirus IV, Heiko's virus detergent. (Sorry for the commercial plug :-), the devil made me do it) The only purpose of this beast is to spread itself, but since it's that "effective", this is really bad enough... See ya, - <CB> P.S. KJohn, hey, KJohn, could you please send me an email, since I don't seem to get through to you... -- _ _ / / | \ \ <CB> aka Christian Balzer - The Software Brewery - < < |-< > decwrl!frambo.dec.com!schabacker OR schabacker@frambo.dec.com \ \_ |_/ / CIS: 71001,210 (be brief!), Phone: +49 6150 4151 ------------ Snail: Im Wingertsberg 45, D-6108 Weiterstadt, F.R.G. "Signature shrunk to conserve bandwidth"
eephdjh@pyr.gatech.EDU (Haleblian, Jim) (09/07/88)
Steve just posted VirusX2.0 on PeopleLink. The viruses currently listed as detected and eliminated are: SCA, Byte Bandit, North Star, Byte Warrior, Revenge, Obelisk. I would be more than happy to post this or give it to someone who can make it available for anonymous ftp if *somebody* lets me know who the proper person/group of persons is to send it to! harv? bob? leo? carolyn? matt? Somebody give me a clue!