johnv@tower.actrix.gen.nz (John Veldthuis) (05/04/91)
I new virus was sent to me today that will infect a machine just by sticking a disk in the drive. No need to run any program from it. It turns out that the disk was not validated and was write protected. When the disk is inserted in the drive AmigaDOS kicks in the Disk-Validator but instead of getting it from the L: directory it gets it from the l directory of the inseted disk. The virus replaced this file with itself so when AmigaDOS ran it it infects the machine. The virus is the same size as the original 1.3 validator and is encrypted. Upon decrypting it it calls itself the SADDAM virus and has a mention of IRAK. I am not sure what it does when it is triggered but there is a call to Alert(). It patches itself into the intterupts, TrackDisk, InitResident and OpenWindow calls at various times. I hope CBM will fix this before 2.0 is finished so that the Validator is called from the L: directory in future and stop this new type of virus. -- *** John Veldthuis, NZAmigaUG. johnv@tower.actrix.gen.nz ***