Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!wuarchive!uunet!cbmvax!cbmehq!cbmdeo!lenler!moria!bojsen From: bojsen@moria.uucp (Per Bojsen) Newsgroups: comp.sys.amiga.misc Subject: The TTV1 virus. Message-ID: <19462b67.ARN364d@moria.uucp> Date: 9 Jun 91 16:50:31 GMT Reply-To: cbmehq!moria!bojsen Followup-To: comp.sys.amiga.misc Organization: IDUN-Soft Aps. Lines: 97 Some time ago somebody mentioned that he had discovered a non-bootblock virus that would attack the SetPatch program, and create a mysterious file in DEVS:. A year ago I discovered a virus that seems to fit the description above. I dissected it and came up with the following information: WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING The TTV1 Virus WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING I call this virus the TTV1 virus, since that was the name of the Resident structure it uses to link itself into the system. And it was the only un- encrypted name I could find. This virus is not a bootblock virus! It is quite capable if attacking your hard disk. This is a list of what the virus does: 1) The virus inserts itself into Exec Resident list so that it survives reboots. 2) During reboot, the virus code is called. It then installs a wedge pointing to itself into the OpenWindow() Intuition call, by patching directly into the jump table of intuition.library, i.e., it does not use SetFunction(). 3) This wedge will then be activated when the initial boot CLI window is opened. 4) The virus now reads the SYS:S/Startup-Sequence file and finds the name of the first command executed in the Startup-Sequence. In 1.3 and 2.0 systems this is most often the SetPatch program. 5) The command thus found is renamed to some obscure name in DEVS:. This name consists mostly of spaces: "DEVS:\xA0\xA0\xA0 \xA0 \xA0". This name is invisible in Dir listings of the directory. 6) It now creates a new file with the name of the command just removed. I.e., most often SetPatch. It copies itself to this file, and that's how the virus gets installed in the system in the first place: By being executed in the Startup-Sequence. 7) After having assured the survival of its species the virus removes the wedge from the OpenWindow() call (in a rather simplistic way). The virus will thus be inactive for the rest of the session, but it's still there. 8) At last, before transfering control to the original OpenWindow() code a subroutine is called. This subroutine will sometimes display a panel with the following message: A VIRUS IS A DISEASE TERRORISM IS A TRANSGRESSION PIRACY IS A CRIME THIS IS THE CURE BGS9 BUNDESGRENZSCHUTZ ABT. 9 The message is displayed for approximately one second and as white text on a black background. The last line suggests that the virus is of German origin. As is explained in the above the virus is a normal executable which when it's executed links itself into your system. There's nothing to keep it from installing itself on your hard disk. NOTE: The description above may not be the whole story! There may be more malicious effects that I have not discovered. Possible signs that your system is infected by the TTV1 virus: 1) If the first command in your Startup-Sequence has changed size or date. 2) If the DEVS: directory contains a file without a name, or with an `invisible' name, with the size and (possibly) the date of the original first command of your Startup-Sequence. 3) Spotting the message panel during reboot. I don't know if this virus works under 2.0 and/or on the A3000. I don't want to try :-) BTW: I have the virus if you virus detector writers want it! -- .------------------------------------------------------------------------------. | Greetings from Per Bojsen. | +------------------------------+-----------------------------------------------+ | EMail: cbmehq!lenler!bojsen | "Names do have power, after all, that of | | Or: bojsen@dc.dth.dk | conjuring images of places we have not seen" | `------------------------------+-----------------------------------------------'