Path: utzoo!attcan!uunet!comp.vuw.ac.nz!actrix!tower!johnv
From: johnv@tower.actrix.co.nz (John Veldthuis)
Newsgroups: comp.sys.amiga
Subject: Re: New Virus
Keywords: virus
Message-ID: <2798.tnews@tower.actrix.co.nz>
Date: 2 Oct 90 23:15:30 GMT
Followup-To: comp.sys.amiga
Organization: Amiga Virus Extermination Services, NZAmigaUG :).
Lines: 23

Quoted from - olson@uhunix1.uhcc.Hawaii.Edu (Todd Olson):
>
>	It must be my lucky year!  I found a new virus (again).  This
> one manifests itself in a so called "new" version of unwarp, version 1.4.
> The virus is integrated into the unwarp file.  The virus is written
> by the Centurions.  It changes the KickTagPtr, and it contains some text
> that I scanned from memory.
[text deleted]

After a quick disassemble of the virus I found that it lives in the memory
area of $7f000 and takes over the trackdisk BeginIO vector. It also has a
Romtag to survive reboots and patches the exec SumKickData vector.
It waits for reads to the bootblock of a disk, then looks for the first
command in the startup-sequence. If the disk is not write protected it will
add itself to the start of this file as a code hunk. It addes 3196 bytes to
the program it infects. The data in the file is encrypted and after every
ten copies it will change the pointer to a smily face that has text
scrolling under it. To do the smily face it goes into the private stuff of
the graphics.library and bombed out when I ran CED to alter a file.
It does it's copying at the block level and not the file level

--
*** John Veldthuis, NZAmigaUG.         johnv@tower.actrix.co.nz       ***