Path: utzoo!attcan!uunet!mcvax!hp4nl!telmail!neabbs!arnoutgr From: arnoutgr@neabbs.UUCP (ARNOUT GROOTVELD) Newsgroups: comp.sys.amiga Subject: Re:ByteWarrior Message-ID: <28381@neabbs.UUCP> Date: 8 Sep 88 07:24:09 GMT Organization: NEABBS multi-line BBS +31-20-717666 (12x), Amsterdam, Holland Lines: 63 frambo::schabacker (Tim, posting for ) wrote in some message about the ByteWarrior virus the following: [ deleted ] >The virus is a related form of the ByteBandit, that is it makes >itself resident via a KickTag entry and patches an internal function. >BUT THIS VIRUS ATTACHES ITSELF IN FRONT OF THE ExecBase DoIO function >and though spreads itself EVERYTIME an uninfected, write-enabled disk >is inserted, written to, etc.! [ deleted ] >As already mentioned on the net, the virus can be identified by the >string DASA0.2 (where "." is an unprintable character) at offset >$C4 (196 decimal) in block 0. [ deleted ] Well, at least for the version I've got the first statement isn't true. I've disassembled this bootblock, too and I've found out the following: - the BootBlock patches DoIO() - the "new" DoIO() checks ColdCapture and CoolCapture against NULL and if both are NULL it continues with the "original" DoIO(). (That is, if you are using 1.2 :-) ) - If one of them isn't NULL, both will be set to NULL, the LED will go on and off a few times and you hear a few beeps. Then: Check if IO_COMMAND is CMD_WRITE or CMD_READ. If no, continue with "original" DoIO(). If yes, check if IO_LENGTH is $200 or $400. If no, continue etc... If yes, check if IO_OFFSET is 0 (=BootBlock). If no, continue etc. If yes, check if IO_DATA is 0. If yes, continue etc. (I don't understand this one.) If no, check for WriteProtect. If yes, continue ... If no, write ByteWarrior BootBlock and after that, execute the original IO-request. So, it "only" spreads itself when block 0 or blocks 0/1 are read/written. (And the disk isn't writeprotected ...) BUT: the bootblock that I've dissected might differ from the bootblock Tim (posting for etc...) spoke off, because with "mine" the text DASA0.2 was not at $C4 but at $C0!!! REQUEST: I'd like to receive all "suspect" bootblocks because I want to disassemble them. So far, I've disassembled SCA, ByteBandit, SystemZ and this one. Thanks in advance. Arnout Grootveld UUCP : ...!mcvax!telemail!neabbs!arnoutgr FidoNet: 2:281/600.2 Although I don't work for anyone, I disclaim everything.