bojsen@moria.uucp (Per Bojsen) (06/09/91)
Some time ago somebody mentioned that he had discovered a non-bootblock virus
that would attack the SetPatch program, and create a mysterious file in DEVS:.
A year ago I discovered a virus that seems to fit the description above. I
dissected it and came up with the following information:
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
The TTV1 Virus
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
I call this virus the TTV1 virus, since that was the name of the Resident
structure it uses to link itself into the system. And it was the only un-
encrypted name I could find.
This virus is not a bootblock virus! It is quite capable if attacking
your hard disk.
This is a list of what the virus does:
1) The virus inserts itself into Exec Resident list so that it survives
reboots.
2) During reboot, the virus code is called. It then installs a wedge
pointing to itself into the OpenWindow() Intuition call, by patching
directly into the jump table of intuition.library, i.e., it does not
use SetFunction().
3) This wedge will then be activated when the initial boot CLI window is
opened.
4) The virus now reads the SYS:S/Startup-Sequence file and finds the name
of the first command executed in the Startup-Sequence. In 1.3 and 2.0
systems this is most often the SetPatch program.
5) The command thus found is renamed to some obscure name in DEVS:. This
name consists mostly of spaces: "DEVS:\xA0\xA0\xA0 \xA0 \xA0".
This name is invisible in Dir listings of the directory.
6) It now creates a new file with the name of the command just removed.
I.e., most often SetPatch. It copies itself to this file, and that's
how the virus gets installed in the system in the first place: By
being executed in the Startup-Sequence.
7) After having assured the survival of its species the virus removes the
wedge from the OpenWindow() call (in a rather simplistic way). The
virus will thus be inactive for the rest of the session, but it's still
there.
8) At last, before transfering control to the original OpenWindow() code
a subroutine is called. This subroutine will sometimes display a panel
with the following message:
A VIRUS IS A DISEASE
TERRORISM IS A TRANSGRESSION
PIRACY IS A CRIME
THIS IS THE CURE
BGS9 BUNDESGRENZSCHUTZ ABT. 9
The message is displayed for approximately one second and as white text
on a black background. The last line suggests that the virus is of
German origin.
As is explained in the above the virus is a normal executable which when
it's executed links itself into your system. There's nothing to keep it
from installing itself on your hard disk.
NOTE: The description above may not be the whole story! There may be more
malicious effects that I have not discovered.
Possible signs that your system is infected by the TTV1 virus:
1) If the first command in your Startup-Sequence has changed size or
date.
2) If the DEVS: directory contains a file without a name, or with an
`invisible' name, with the size and (possibly) the date of the original
first command of your Startup-Sequence.
3) Spotting the message panel during reboot.
I don't know if this virus works under 2.0 and/or on the A3000. I don't
want to try :-)
BTW: I have the virus if you virus detector writers want it!
--
.------------------------------------------------------------------------------.
| Greetings from Per Bojsen. |
+------------------------------+-----------------------------------------------+
| EMail: cbmehq!lenler!bojsen | "Names do have power, after all, that of |
| Or: bojsen@dc.dth.dk | conjuring images of places we have not seen" |
`------------------------------+-----------------------------------------------'lmbailey@vela.acs.oakland.edu (Laurana Bailey) (06/10/91)
I am absolutely amazed that you posted this message on the VERY same day I saw that message pop up on my A2000. Gonna have to check my HD now. Thanx for the info. -- /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ |Just another lemming... | Yet another Amiga maniac set loose | | | on the world...and you thought things| |lmbailey@vela.acs.oakland.edu | couldn't get any worse. |
peterk@cbmger.UUCP (Peter Kittel GERMANY) (06/10/91)
In article <19462b67.ARN364d@moria.uucp> cbmehq!moria!bojsen writes: > >WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING > > The TTV1 Virus > >WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING > >I call this virus the TTV1 virus, since that was the name of the Resident >structure it uses to link itself into the system. And it was the only un- >encrypted name I could find. > > BGS9 BUNDESGRENZSCHUTZ ABT. 9 This is why this is normally called the "BGS9" virus. -- Best regards, Dr. Peter Kittel // E-Mail to \\ Only my personal opinions... Commodore Frankfurt, Germany \X/ {uunet|pyramid|rutgers}!cbmvax!cbmger!peterk
barrett@jhunix.HCF.JHU.EDU (Dan Barrett) (06/10/91)
In article <19462b67.ARN364d@moria.uucp> cbmehq!moria!bojsen writes: >A year ago I discovered a virus that seems to fit the description above. I >dissected it and came up with the following information: > A VIRUS IS A DISEASE > TERRORISM IS A TRANSGRESSION >... This is the "BSG9 Virus". Virus_Checker version 5.22 removes it. You can download this program by anonymous ftp from ab20.larc.nasa.gov in the directory /amiga/utils/virus. Dan //////////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | Dan Barrett, Department of Computer Science Johns Hopkins University | | INTERNET: barrett@cs.jhu.edu | | | COMPUSERVE: >internet:barrett@cs.jhu.edu | UUCP: barrett@jhunix.UUCP | \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\/////////////////////////////////////
chucks@pnet51.orb.mn.org (Erik Funkenbusch) (06/11/91)
lmbailey@vela.acs.oakland.edu (Laurana Bailey) writes: >I am absolutely amazed that you posted this message on the VERY same >day I saw that message pop up on my A2000. Gonna have to check my HD >now. Thanx for the info. > > >-- >/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ >|Just another lemming... | Yet another Amiga maniac set loose | >| | on the world...and you thought things| >|lmbailey@vela.acs.oakland.edu | couldn't get any worse. | Actualy this is the BGS9 virus.. it's a VERY old virus, even virusX handles it correctly.. .--------------------------------------------------------------------------. | UUCP: {amdahl!tcnet, crash}!orbit!pnet51!chucks | "I know he's come back | | ARPA: crash!orbit!pnet51!chucks@nosc.mil | from the dead, but do | | INET: chucks@pnet51.orb.mn.org | you really think he's | |-------------------------------------------------| moved back in?" | | Amiga programmer at large, employment options | Lou Diamond Philips in | | welcome, inquire within. | "The First Power". | `--------------------------------------------------------------------------'
bojsen@moria.uucp (Per Bojsen) (06/11/91)
In article <6941@vela.acs.oakland.edu>, Laurana Bailey writes: > I am absolutely amazed that you posted this message on the VERY same > day I saw that message pop up on my A2000. Gonna have to check my HD > now. Thanx for the info. > Actually, I wanted to post the description some time ago, but at that time I only had a Danish version of it, which I estimated would be of marginal use for the majority of readers on this net :-) -- .------------------------------------------------------------------------------. | Greetings from Per Bojsen. | +------------------------------+-----------------------------------------------+ | EMail: cbmehq!lenler!bojsen | "Names do have power, after all, that of | | Or: bojsen@dc.dth.dk | conjuring images of places we have not seen" | `------------------------------+-----------------------------------------------'
bojsen@moria.uucp (Per Bojsen) (06/11/91)
In article <1333@cbmger.UUCP>, Peter Kittel GERMANY writes: > In article <19462b67.ARN364d@moria.uucp> cbmehq!moria!bojsen writes: > > > BGS9 BUNDESGRENZSCHUTZ ABT. 9 > > This is why this is normally called the "BGS9" virus. > Ah! I haven't seen other references to this virus, so I didn't know what it's `official' name is :-) Do you (or anybody else) know if there's malicious side effects of being infected with this virus? Do you know of virus detectors that catches this one? -- .------------------------------------------------------------------------------. | Greetings from Per Bojsen. | +------------------------------+-----------------------------------------------+ | EMail: cbmehq!lenler!bojsen | "Names do have power, after all, that of | | Or: bojsen@dc.dth.dk | conjuring images of places we have not seen" | `------------------------------+-----------------------------------------------'
stevex@artech.UUCP (Steve Tibbett) (06/15/91)
In article <8623@jhunix.HCF.JHU.EDU> barrett@jhunix.HCF.JHU.EDU (Dan Barrett) writes: >In article <19462b67.ARN364d@moria.uucp> cbmehq!moria!bojsen writes: >>A year ago I discovered a virus that seems to fit the description above. I >>dissected it and came up with the following information: >> A VIRUS IS A DISEASE >> TERRORISM IS A TRANSGRESSION >>... > > This is the "BSG9 Virus". Virus_Checker version 5.22 removes it. >You can download this program by anonymous ftp from ab20.larc.nasa.gov in >the directory /amiga/utils/virus. Doesn't VirusX check this? (I'm at work so I don't have the source handy, but I believe VirusX will tell you if this virus is in RAM. It's an old virus, been around for quite some time) -- ...Steve's Signature (when Steve's at work)...
darrell@comspec.uucp (Darrell Grainger) (06/20/91)
In article <stevex.3282@artech.UUCP> stevex@artech.UUCP (Steve Tibbett) writes: [stuffed deleted to save space] >> This is the "BSG9 Virus". Virus_Checker version 5.22 removes it. >>You can download this program by anonymous ftp from ab20.larc.nasa.gov in >>the directory /amiga/utils/virus. > >Doesn't VirusX check this? (I'm at work so I don't have the source handy, >but I believe VirusX will tell you if this virus is in RAM. It's an old >virus, been around for quite some time) Yes. VirusX 4.00 (and I think 3.20) does detect the BSG9 Virus. > >-- > > ...Steve's Signature (when Steve's at work)... -- Darrell Grainger % Comspec Communications Inc., Toronto, Ontario, Canada darrell@comspec % Disclaimer: All opinions expressed are my own. (416) 617-1475 % (416) 633-5605 (416)785-3553