c8847468@jupiter.newcastle.edu.au (jonathan ross coombes) (05/08/91)
I seen this in the amiga newsgroup and thought I would post it here. Does anyone have any more information on the virus as yet? The post is actually of two files that was posted. *********************************************************************** I new virus was sent to me today that will infect a machine just by sticking a disk in the drive. No need to run any program from it. It turns out that the disk was not validated and was write protected. When the disk is inserted in the drive AmigaDOS kicks in the Disk-Validator but instead of getting it from the L: directory it gets it from the l directory of the inseted disk. The virus replaced this file with itself so when AmigaDOS ran it it infects the machine. The virus is the same size as the original 1.3 validator and is encrypted. Upon decrypting it it calls itself the SADDAM virus and has a mention of IRAK. I am not sure what it does when it is triggered but there is a call to Alert(). It patches itself into the intterupts, TrackDisk, InitResident and OpenWindow calls at various times. I hope CBM will fix this before 2.0 is finished so that the Validator is called from the L: directory in future and stop this new type of virus. - -- ************************************************************************ I have worked out what the Saddam virus does and it is very nasty. There are a few different stages to it so I will go through it. It infects your machine by AmigaDOS using the Disk-Validator on the disk you insert in the drive. When you write to the root directory of any drive the virus will move the BitMap page pointer to another slot. If the virus is active then when the root block is read it moves it back so AmigaDOS thinks the disk is okay. If the virus is not running AmigaDOS will see no BitMap pages and run the Disk-Validator on the disk and infecting your machine again. When AmigaDOS writes to Data blocks the virus will change the first bit to IRAK and encode the rest of the block. If the virus is running when the block is read it replaces in memory the IRAK with the proper number (8) and decode the data block. If the virus is not running you will get a read write error as AmigaDOS can't find a valid DATA block there. No comes the worst bit. When the virus is triggered it will (if the disk is write enabled) wipe out both sides of the disk with random data (what ever is in memory at the time) by writing to every track on the disk. It will then bring up an Alert() telling you it is the SADDAM virus and reboot the machine once the alert is canceled. So beware this virus and try to wipe it out early. Please CBM fix this little loophole before you finish 2.0 so that the Disk-Validator is got from L: instead of :L/ first - -- *** John Veldthuis, NZAmigaUG. johnv@tower.actrix.gen.nz *** ************************************************************************** /************************************************************************/ /* Jonathan Coombes THE TECHNOMANCER */ /* University of Newcastle */ /* Australia */ /* */ /* "I wasn't born, I was compiled!!! */ /* */ /* Internet: c8847468@orion.newcastle.edu.au */ /************************************************************************/