Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!rutgers!ucsd!ucbvax!decwrl! From: frambo::schabacker (Tim, posting for ) Newsgroups: comp.sys.amiga Subject: ByteWarrior Virus Message-ID: <8809061205.AA08381@decwrl.dec.com> Date: 6 Sep 88 12:05:29 GMT Organization: Digital Equipment Corporation Lines: 49 [I really hate these stupid line-eater jok Hi folks, as a public service, here's what the (dis)assembler department of the Software Brewery (Hi Heiko) found out about the already mentioned ByteWarrior virus. The virus is a related form of the ByteBandit, that is it makes itself resident via a KickTag entry and patches an internal function. BUT THIS VIRUS ATTACHES ITSELF IN FRONT OF THE ExecBase DoIO function and though spreads itself EVERYTIME an uninfected, write-enabled disk is inserted, written to, etc.! This is the most virulent beast to date. But obviously virus authors are generally even more brain-dead than the usual bunch of crackers & pirates, 'cause the idiot who did this scumware makes DIRECT jumps to certain KickStart routines... So if you use a 1.3 KS, an infected disk will happily crash every time you try to boot it... But if there is enough interest out there, we could fix it... :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) :-) (-: (-: (-: (-: (-: (-: (-: (-: (-: (-: (-: (-: (-: (-: (-: (-: (-: (Hey, twas a joke, OK?) As already mentioned on the net, the virus can be identified by the string DASA0.2 (where "." is an unprintable character) at offset $C4 (196 decimal) in block 0. The virus claims to be a virus killer, and what can I tell you, it really kills SCA and ByteBandits in memory and VERY effectivly their respective bootblocks. 1/2 :-) Of course it gets detected and removed by AntiVirus IV, Heiko's virus detergent. (Sorry for the commercial plug :-), the devil made me do it) The only purpose of this beast is to spread itself, but since it's that "effective", this is really bad enough... See ya, - P.S. KJohn, hey, KJohn, could you please send me an email, since I don't seem to get through to you... -- _ _ / / | \ \ aka Christian Balzer - The Software Brewery - < < |-< > decwrl!frambo.dec.com!schabacker OR schabacker@frambo.dec.com \ \_ |_/ / CIS: 71001,210 (be brief!), Phone: +49 6150 4151 ------------ Snail: Im Wingertsberg 45, D-6108 Weiterstadt, F.R.G. "Signature shrunk to conserve bandwidth"