Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!erd From: erd@tut.cis.ohio-state.edu (Ethan R. Dicks) Newsgroups: comp.sys.amiga Subject: Interesting boot block I found... (long) Keywords: SCA !!! NON-VIRAL !!! Message-ID: <13348@tut.cis.ohio-state.edu> Date: 15 May 88 17:53:51 GMT Distribution: na Organization: The Ohio State University Dept of Computer and Information Science Lines: 92 I recently was helping another friend flush the scourge of viruses from his disks, when I came across an interesting boot block, using ViewBoot. I have since written a program to read the boot block and save it to a 1024 byte file, or write a 1024 block file to the boot block. I have been saving viruses for some time now, but it was inconvenient to have one disk per virus. After I clean up the code, I will send it to the moderators. Here is this most amazing boot block... (it passes through VirusX _and_ Vcheck1.9) 0000: 444F5300 37FCBB02 8721CBF9 43FA0018 DOS.7....!..C... 0010: 4EAEFFA0 4A80670A 20402068 00167000 N...J.g. @ h..p. 0020: 4E7570FF 60FA646F 732E6C69 62726172 Nup.`.dos.librar 0030: 79000000 F0000000 54484953 20424F4F y.......THIS BOO 0040: 54424C4F 434B2043 414E4E4F 54204245 TBLOCK CANNOT BE 0050: 20494E46 45435445 44204259 20544845 INFECTED BY THE 0060: 20534341 2D564952 55532C20 42454341 SCA-VIRUS, BECA 0070: 55534520 49542057 41532047 454E4552 USE IT WAS GENER 0080: 41544544 20574954 48205448 45205649 ATED WITH THE VI 0090: 5255532D 50524F54 4543544F 52205631 RUS-PROTECTOR V1 00A0: 2E302042 59205448 45204D45 47412D4D .0 BY THE MEGA-M 00B0: 49474854 59205357 49535320 43524143 IGHTY SWISS CRAC 00C0: 4B494E47 20415353 4F434941 54494F4E KING ASSOCIATION 00D0: 20212121 000000F0 00000000 00000000 !!!............ 00E0: 00000000 00000000 00000000 00000000 ................ 00F0: 00000000 00000000 00000000 00000000 ................ 0100: 00000000 00000000 00000000 00000000 ................ 0110: 00000000 00000000 00000000 00000000 ................ 0120: 00000000 00000000 00000000 00000000 ................ 0130: 00000000 00000000 00000000 00000000 ................ 0140: 00000000 00000000 00000000 00000000 ................ 0150: 00000000 00000000 00000000 00000000 ................ 0160: 00000000 00000000 00000000 00000000 ................ 0170: 00000000 00000000 00000000 00000000 ................ 0180: 00000000 00000000 00000000 00000000 ................ 0190: 00000000 00000000 00000000 00000000 ................ 01A0: 00000000 00000000 00000000 00000000 ................ 01B0: 00000000 00000000 00000000 00000000 ................ 01C0: 00000000 00000000 00000000 00000000 ................ 01D0: 00000000 00000000 00000000 00000000 ................ 01E0: 00000000 00000000 00000000 00000000 ................ 01F0: 00000000 00000000 00000000 00000000 ................ 0200: 00000000 00000000 00000000 00000000 ................ 0210: 00000000 00000000 00000000 00000000 ................ 0220: 00000000 00000000 00000000 00000000 ................ 0230: 00000000 00000000 00000000 00000000 ................ 0240: 00000000 00000000 00000000 00000000 ................ 0250: 00000000 00000000 00000000 00000000 ................ 0260: 00000000 00000000 00000000 00000000 ................ 0270: 00000000 00000000 00000000 00000000 ................ 0280: 00000000 00000000 00000000 00000000 ................ 0290: 00000000 00000000 00000000 00000000 ................ 02A0: 00000000 00000000 00000000 00000000 ................ 02B0: 00000000 00000000 00000000 00000000 ................ 02C0: 00000000 00000000 00000000 00000000 ................ 02D0: 00000000 00000000 00000000 00000000 ................ 02E0: 00000000 00000000 00000000 00000000 ................ 02F0: 00000000 00000000 00000000 00000000 ................ 0300: 00000000 00000000 00000000 00000000 ................ 0310: 00000000 00000000 00000000 00000000 ................ 0320: 00000000 00000000 00000000 00000000 ................ 0330: 00000000 00000000 00000000 00000000 ................ 0340: 00000000 00000000 00000000 00000000 ................ 0350: 00000000 00000000 00000000 00000000 ................ 0360: 00000000 00000000 00000000 00000000 ................ 0370: 00000000 00000000 00000000 00000000 ................ 0380: 00000000 00000000 00000000 00000000 ................ 0390: 00000000 00000000 00000000 00000000 ................ 03A0: 00000000 00000000 00000000 00000000 ................ 03B0: 00000000 00000000 00000000 00000000 ................ 03C0: 00000000 00000000 00000000 00000000 ................ 03D0: 00000000 00000000 00000000 00000000 ................ 03E0: 00000000 00000000 00000000 00000000 ................ 03F0: 00000000 00000000 00000000 00000000 ................ Pretty strange huh? Perhaps some Virus examiner could explain why it works? My bets are on the byte immediately following the boot code, $F0. I think the virus looks for this magic cookie when deciding whether to spread or increment a counter. -ethan -- Ethan R. Dicks | ###### This signifies that the poster is a member in | ## good sitting of Inertia House: Bodies at rest. This space for rent | ## | ###### "You get it, you're closer."