TTV1 and LAMER V3.0 - Two new viruses on the Amiga!
I want inform you about a new virus which is doing his work on several disks. I have detected this new virus, because the Kickstart I'm using warns you if a vector gets changed. So I saw that something has changed some vectors. There was nothing on the bootblock, so it had to be something else. I checked the startup-sequence and checked which command could change the vectors. It was the border on/off command. Only when this command was loaded the vectors got changed. Cause of this it had to be a linkvirus.
I and Com of Brainstorm reassembled the virus and detected that he is coded. So you must first decode it if you want to read it. If it's a virus he must use the system functions, like Open / Close or so, if he wants to write something on the disk. We found this in the source, so it had to be a virus. We also detected the name "TTV1" in the ASCII dump. We took Xoper and looked if this resident program has a name. It had, Its name was ... what do you think ??? ... yes, TTV1.
Now the only problem was to find out what the virus affects. After a test I found out: This virus is activated after a reset. He takes the first file in the startup-sequence and renames this file to a filename with some spaces. Then the virus takes the name the program had before. If you now load the program, the virus is loaded and then the virus reloads the original program which is under a name with some spaces on the disk. So it happens, that a file which had for example 100KB now has only 2KB but the 100KB file is still on the disk.
When I've made this test, the virus put the renamed program in the devs directory. But it could also be that the virus writes the renamed program each time on another place on the disk. (Sorry, but I hadn't enough time to test all possibilities.)
So I wrote a Viruskiller which detects and kills the TTV1 virus in the memory. Watch out for the soon to be released Viruskiller by Orlando of Brainstorm called: 'VCHECK V1.0'
P.S. This Viruskiller will also detect and kill the new Lamer Exterminator V3.0.
Short describtion of the Lamer V3.0: It formats disks. It writes itself on the bootblock, but the bootblock wont be destroyed, because he copies the original bootblock on block 2 and 3. Now if you boot from a infected disk, the bootblock with the virus will be loaded in the memory and then the virus loads the blocks 2 and 3 and executes the program which is there as a normal bootblock. So the virus can also be on a disks which loads directly from the bootblock. (For example most of the games...)
Note: All statements without any warranty of completness.
Orlando/BRS
This article originally appeared in the Amiga diskmagazine "Zine #1" by Brainstorm 1989.
Some content may refer to activities that are illegal in some countries. BitFellas does not support such activity.
Addresses and other contact information were only valid when this magazine was originally published, in october of 1989.
Go back to articlelist |
