[Search for users]
[Overall Top Noters]
[List of all Conferences]
[Download this site]
| Title: | AMIGA NOTES |
| Notice: | Join us in the *NEW* conference - HYDRA::AMIGA_V2 |
| Moderator: | HYDRA::MOORE |
|
| Created: | Sat Apr 26 1986 |
| Last Modified: | Wed Feb 05 1992 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 5378 |
| Total number of notes: | 38326 |
3699.0. "Virus warning..." by FROCKY::BALZER (Christian Balzer DTN:785-1029) Fri Apr 20 1990 05:28
Following is text by my fellow Software-Brewer Heiko Rath, which I also
posted to comp.virus...
------
On the 03-Apr-1990 I discoverd a virus that no anti-virus program
available detected. I therefore started my own private investigations
and disassembled the f*c*i*g virus.
The JEFF-Virus disassembled & commented by <HR> 3.4.1990
--------------
First of all this virus is not a malicious one and your data remain relative
save even when it is active. BUT this thing is not programmed in an
operating system friendly way, therefore under some special circumstances you
could lose some data on a disk through some side effects. Good news: the Jeff-
virus is a floppydisk dependant virus, it won't hit the harddisk.
If one of your disks is infected, you will probably sooner or later see a
message appearing in a window dragbar. Another thing you might experience is
that after a reset an Alert appears, saying something like:
JEFF's speaking here
(w) by the genious BUTONIC
HV 3.00/9.2.89-Gen.xxxxx <- xxxxx generation count
Greetings to *Hackmack*,*Atlantic*,
Alex,Frank,Wolfram,Gerlach,Miguel,Klaus,Snoopy-Data!
You can provoke this Alert by pressing the 'y'-key on the German keyboard
(on the American keyboard this would be the 'z' key) while holding both
mousebuttons during the reset.
The possible window dragbar messages with their translations are (they are
usually encrypted inside the virus):
*** I changed the German Umlaut characters to their ASCII form, ie. an
*** Umlaut-a becomes ae. <CB>
- Ich brauch jetzt Alk'!
= I need some alcohol!
- Bitte keinen Wodka!
= No vodka please!!
- Stau auf Datenbus bei Speicherkilometer 128!
= Traffic jam on the databus at memorykilometer 128!
- Mehr Buszyklen fuer den Prozessor!
= More buscycles for the processor!
- Ein dreifach MITLEID fuer Atari ST!
= 3 times pity for the Atari ST!
- �89 by BUTONIC
- PC/XT: Spendenkonto 004...
= PC/XT: charity account 004...
- Freiheit fuer den Tastaturprozessor!
= Freedom for the keyboard processor!
- C fuer Looser
= C for loosers
- Paula meint, Agnus sei zu dick
= Paula thinks, Agnus is to fat
- Die CPU braucht etwas Schmieroel
= The cpu needs some lubricating oil
- C64 - jetzt mit Pampers im 3erPack
= C64 - now with diapers in a threepack
- JEFF=ungefaehrlich+schuetzt vor Viren
= JEFF=harmless+protects from viruses
If you're using the reset-resident ramdisk from Commodore (RAD:) and it won't
work anymore, than chances are, that you got hit by the Jeff-Virus. This is
because the virusauthor didn't design his creature after the OS rules,
resulting in some incompatibilities... (Good for us that these virus guys
don't have brains). If you're using other programs that use the KickTagPtr,
these also will stop working.
If your system has some fastmem, the virus will probably be unable to make
itself reset-resident. BUT it usually gets started from the startup-sequence
anyway and after this is present in your system.
The author of this beast designed a hidden switch inside the virus, so that it
is relative easy to zap it from memory. When you press both mousebuttons
while holding the left-ALT-key, the screen flashes for a short while in a
medium green color. If you press during that flash the left-AMIGA key, then
the virus removes itself from memory!
Also note: the Jeff-virus is only capable to infect disks, where the file
s/startup-sequence is present and is smaller than 480 Bytes. This means for
you, if your startup-sequence is bigger than 479 Bytes, you won't get
infected!
The virus checks every DoIO, if the io_Request Command = Read and the sector-
number = 880 = RootBlock. If this is not the case, it just falls through to
the original DoIO. When this is the case, the virus reads the Rootblock and
the BitMap of the disk and tries to find 7 free sectors. After this it tries
to find the startup-sequence & infects the disk only, if the startup-sequence
is smaller than 480 Bytes. It does this by inserting its own name at the
beginning of the startup-sequence and copying itself into the rootdirectory.
The name it's using consists of three characters and is ' ' or hex $A0A0A0;
As you can see, you see nothing, because it looks just like 3 blanks. I'd
propose using a diskmanaging program like Filebrowser or ClickMouse to see
that such a strange file exists. The viruslength is 2916 Bytes and the
filecomment of the virus is ' 2A' or hex $9B3241.
Conditions that must be true for the virus to infect a disk:
- disk must not be writeprotected
- disk must have at least 7 free sectors
- the file s/startup-sequence must be present on the disk
- the file s/startup-sequence must be smaller than 480 Bytes
- the file s/startup-sequence must not start with ' A' = $A0209B41
or ' ' = $A0A0209B or ' A' = $A0A0A0209B41
To zap that sucker one would have to remove it from memory with the method
mentioned above (press both mousebuttons, left-ALT & then left-AMIGA) and then
to remove the first line of the infected startup-sequences and delete the
virus itself with the help of a diskbrowser tool...
If anybody knows the name and address of the sucker who
wrote this virus, please let me know, so that I can send
him some adequate greetings, like a cute little letterbomb!!!
Heiko
...!cbmvax!cbmehq!cbmger!brewas!brewhr!HR
or Snail-Mail:
Heiko Rath
Raiffeisenstr.10A
D-6108 Weiterstadt
WEST GERMANY
P.S. I tried to remove the Jeff-virus from a disk with SID V1.06 and
SID crashed horribly... In my opinion SID is not capable to handle
filenames that contain control characters... :-(
------
You folks may send mail for Heiko also to me...
| T.R | Title | User | Personal
Name | Date | Lines
|
|---|