Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!erd From: erd@tut.cis.ohio-state.edu (Ethan R. Dicks) Newsgroups: comp.sys.amiga Subject: Lamer Exterminator virus caught and being analyzed Message-ID: <41408@tut.cis.ohio-state.edu> Date: 3 Apr 89 04:17:26 GMT Reply-To: Ethan R. Dicks Distribution: na Organization: Ohio State University Computer and Information Science Lines: 34 I have just recieved a copy of the Lamer Exterminator virus and have dissassembled it. It looks as though it will take be the better part of me free time for the week to figure it out. To this end, I am asking the people out there in net.land to send in reports of the behavior of this virus (if you have seen it) to get a picture of what this thing is trying to do. What I know now is: o It is mostly encoded. o The encoded part contains two text strings: "trackdisk.device" "Lamer Exterminator!!!" o It calls SumKickData, AllocMem, WaitIO and Remove o It allocates 1k of memory of type (MEMF_CHIP | MEMF_CLEAR) o It uses the DeviceList of ExecBase and calls FindName to locate the trackdisk.device process o It executes additional code to deal with having KickTagPtr, CoolCapture, or ColdCapture non-zero. o It modifies the KickTagPtr It looks like the start of a new generation of virus: it is fast RAM compatible (unlike the ByteBandit) and it co-exists with other code which survives re-boots (ramdrive.device, for example) I hope to have a report of its effects and weaknesses by next week. -ethan -- Ethan R. Dicks | ###### This signifies that the poster is a member in Software Results Corp| ## good sitting of Inertia House: Bodies at rest. 940 Freeway Drive N. | ## Columbus OH 43229 | ###### "You get it, you're closer.