jeremym@chopin.udel.edu (Jeremy A Moskowitz) (06/18/91)
---mailed to me by the author for announce... --- jeremy
%%%%% Start of description (this line not included) %%%%%
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
The TTV1 Virus
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
I call this virus the TTV1 virus, since that was the name of the
Resident structure it uses to link itself into the system. And it was
the only unencrypted name I could find. Peter Kittel mentioned that
the virus is also known as the BGS9 virus.
This virus is not a bootblock virus! It is quite capable if attacking
your hard disk.
The virus in its inert state is just a normal AmigaDOS executable file.
When this executable is (inadvertently) executed it installs the virus
in the system in much the same way as most other viruses, i.e., so that
it will survive a reboot.
During reboot the virus will be activated and do a number of things.
First, it will reproduce itself if the disk you booted from was not
infected. This is done by moving the first command in the
Startup-Sequence into the DEVS: directory and renaming it to a
`invisible' name ("DEVS:\xA0\xA0\xA0 \xA0 \xA0" in C syntax).
The virus then recreates an executable file with the name of the
just moved command. In 1.3 and 2.0 systems the command most often
affected is the SetPatch command.
After having reproduced the virus will sometimes bring up a panel with
the following message:
A VIRUS IS A DISEASE
TERRORISM IS A TRANSGRESSION
PIRACY IS A CRIME
THIS IS THE CURE
BGS9 BUNDESGRENZSCHUTZ ABT. 9
The message is displayed for approximately one second as white text
on a black background. The last line suggests that the virus is of
German origin.
Judging from the code (I examined a good portion of it) the author is
not an expert Amiga programmer. I located several serious bugs.
These bugs may result in the virus' inability to run under 2.0 or
later versions.
As is explained in the above the virus is a normal executable which
when it's executed links itself into your system. There's nothing to
keep it from installing itself on your hard disk.
The information in the above is enough to help you understand and
diagnose your system in the case you think your system has been
infected. The virus may be *dangerous*. All viruses whether benign
or malicious should be exterminated ASAP.
Possible signs that your system is infected by the TTV1 virus:
1) If the first command in your Startup-Sequence has changed size or
date.
2) If the DEVS: directory contains a file without a name, or with an
`invisible' name, with the size and (possibly) the date of the
original first command of your Startup-Sequence.
3) Spotting the message panel during reboot.
How to exterminate the virus:
1) Turn off your system for at least 30 seconds and reboot from a
guaranteed `sterile' (i.e., not infected) copy of your original
Workbench disk.
2) Delete the command first executed in the Startup-Sequence of your
infected Workbench disk or boot partition. Note that you should
delete the *command* (which is the virus) and not the line listing
it in the Startup-Sequence.
3) Delete the mysterious file in DEVS: with the following command
1> Delete "DEVS:#? #?"
which will delete all files with at least three spaces in them.
Caveat: Make sure you don't have files of your own that matches
this pattern.
4) Copy the command first executed in the Startup-Sequence from your
original Workbench disk to the infected disk or partition.
5) Repeat this process for every infected disk.
I don't know if this virus works under 2.0 and/or on the A3000. I
don't want to try :-)
BTW: I have the virus if you virus detector writers want it!
%%%%% End of description (this line not included) %%%%%
Please feel free to correct any `bugs' (spelling errors, etc.).
--
.------------------------------------------------------------------------------.
| Greetings from Per Bojsen. |
+------------------------------+-----------------------------------------------+
| EMail: cbmehq!lenler!bojsen | "Names do have power, after all, that of |
| Or: bojsen@dc.dth.dk | conjuring images of places we have not seen" |
`------------------------------+-----------------------------------------------'
---------
jeremym@brahms.udel.edu - Monitor comp.sys.amiga.emulations
Temporary/Fill In moderator of comp.sys.amiga.announce
Send submissions to any of these addresses:
jeremym@chopin.udel.edu moskowit@sol.udel.edu jeremym@freezer.acs.udel.edu
--
jeremym@brahms.udel.edu - Monitor comp.sys.amiga.emulations
Temporary/Fill In moderator of comp.sys.amiga.announce
Send submissions to any of these addresses:
jeremym@chopin.udel.edu moskowit@sol.udel.edu jeremym@freezer.acs.udel.edu