| Alias: | --- |
| Strain: | --- |
| detected when: | June 1989 |
| where: | Elmshorn, FRG |
| Classification: | link virus (renaming), resident |
| Length: | 1. length on storage medium: 2608 byte 2. length in RAM : 2608 byte |
Preconditions | |
| Operating System(s): | AMIGA-DOS |
| Version/Release: | 1.2/33.166, 1.2/33.180, 1.3/34.5 |
| Computer model(s): | AMIGA 500, AMIGA 1000, AMIGA 2000A, AMIGA 2000B |
| Caroname: | BGS9.1 |
Attributes | |
| Easy identification: | typical text: 'TTV1' at the end of the virus (length is 2608 byte) identification on disk: a file in ROOT- and/or DEVS-directory is named with the following unprintable string: $A0,$A0,$A0,$20,$20,$20,$A0,$20,$20,$20,$A0, length of first command in startup-sequence seems to be altered to 2608 byte (because the file isn't the original anymore) |
Type of Infection: | self-identification method: virus searches for a file in devs- or root directory named with the following unprintable string: $A0,$A0,$A0,$20,$20,$20,$A0,$20,$20,$20,$A0 system infection: RAM resident, reset resident |
| Infection Technique: | |
| Infection Trigger: | reset (CONTROL + Left-AMIGA + Right-AMIGA) |
| Storage Media affected: | bootable floppy disks ( 3.5'' and 5.25'' ), bootable ram disks, bootable hard disks |
| Interrupts hooked: | --- |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | permanent damage: overwriting bootblock transient damage: screen buffer manipulation: screen becomes black, a graphic with following text is shown: 'a computer virus is a disease terrorism is a transgression software piracy is a crime this is the cure BGS9 Bundesgrenzschutz Sektion 9 Sonderkommando "EDV" ' |
| Damage Trigger: | permanent damage: reset (CONTROL + LEFT-AMIGA + RIGHT-AMIGA) transient damage: 4 resets (have to be run until initial CLI window appears ) |
| Particularities: | other resident programs using the system resident list (KickTagPointer,KickMemPointer) are shutdown; name of its resident task is 'TTV1' (see string in bootblock code) when the virus doesn't find a DEVS directory, it uses the root. first command in startup-sequence is renamed to a file named with the following unprintable string: '$A0,$A0,$A0,$20,$20,$20,$A0,$20,$20, $20,$A0' (in DEVS- or in root directory if available) and the Virus is written to the directory. the command comes from using the same name, next time the virus will be called first before the original command is executed. |
| Similarities: | --- |
Agents | |
| Countermeasures: | 'CHECKVECTORS 2.2', 'BGS9-PROTECTOR' |
| Standard means: | 'CHECKVECTORS 2.2' (removal) and creating two files named with the following unprintable string '$A0,$A0,$A0,$20,$20,$20,$A0, $20,$20,$20,$A0' for vaccinate disk (one file has to be placed in the ROOT- and one in DEVS- directory), 'BGS9-PROTECTOR' |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Wolfram Schmidt, Alfred Manthey Rojas |
| Documentation by: | Alfred Manthey Rojas |
| Date: | 5-June1990 |
| Information Source: | --- |
(c) 1996 Virus-Test-Center, University of Hamburg