| Alias: | -- |
| Strain: | -- |
| detected when: | unknown |
| where: | unknown |
| Classification: | system virus (bootblock), resident |
| Length: | 1. length on storage medium: 1024 byte 2. length in RAM : 1034 byte |
Preconditions | |
| Operating System(s): | AMIGA-OS |
| Version/Release: | 1.2/33.166, 1.2/33.180, 1.3/34.20 |
| Computer model(s): | AMIGA 500, AMIGA 1000, AMIGA 2000 |
| Caroname: | BLF |
Attributes | |
| Easy identification: | at $02CE: ;(dc.l coded ;decoded) dc.l $4F47B8B3,$F7AEB8A2 ; $98906F64," you" dc.l $F7BFB6A1,$B2F7B1B8 ; " have fo" dc.l $A2B9B3F7,$A3BFB2F7 ; "und the " dc.l $A5B8A2A3,$BEB9B2F7 ; "routine " dc.l $F6F6F783,$BFBEA4F7 ; "!! This " dc.l $BEA4F7A3,$BFB2F7B9 ; "is the n" dc.l $B2A0F7A1,$BEA5A2A4 ; "ew virus" dc.l $F7B5AEF7,$959B912E ; " by BLF." |
Type of Infection: | RAM resident, reset resident, bootblock infector |
| Infection Technique: | |
| Infection Trigger: | Booting from an infected disk, reset afterwards |
| Storage Media affected: | Only floppy disks |
| Interrupts hooked: | -- |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Clears ColdCapture, KickTagPtr, KickCheckSum and sprite DMA. Manipulates DoIo, TrackDisk-BeginIo and CoolCapture. |
| Damage Trigger: | ColdCapture, KickTagPtr, KickCheckSum will be cleared, BeginIo, and CoolCapture will be manipulate every booting, BeginIo and DoIo call. The sprite DMA will be cleared every 10th disk infection. DoIo will be manipulate every booting, reset and BeginIo. |
| Particularities: | This virus will crash Amigas with newer OS versions than 1.3. The programmer knows the ROM addresses of BeginIo and DoIo for OS 1.2 and 1.3 and uses them to jump directly into the ROM. So if you have a newer OS version the virus jumps for BeginIo calls to the OS 1.2 ROM address and directly to the next GURU. There is an unused decode routine in the virus. When this routine will be used, a coded area in the virus will be decoded and a text is readable. (See at Easy Identification above for the text.) |
| Similarities: | -- |
Agents | |
| Countermeasures: | Virus Workshop V3.0, VirusChecker V6.33, VT 2.58, VirusZ 3.07 |
| Standard means: | VT 2.58, Virus Workshop V3.0 |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Jens Vogler |
| Documentation by: | Jens Vogler |
| Date: | 30. X. 1993 |
| Information Source: | virus disassembly |
(c) 1996 Virus-Test-Center, University of Hamburg